Cybersecurity researchers have uncovered a new vulnerability in the PHONIX Securecore UEFI firmware that impacts various families of Intel desktop and mobile processors.
The vulnerability, tracked as CVE-2024-0762 with a CVSS assessment of 7.5, has been named “UEFICANHAZBUFFEROVERFLOW.” It involves a buffer overflow due to the use of an unsafe variable in the TPM configuration, potentially allowing for the execution of malicious code.
Eclypsium, a company specializing in supply chain security, highlighted in their report that this vulnerability enables local attackers to elevate privileges and execute code within the UEFI firmware during boot.
These types of low-level exploits, often associated with firmware backdoors like Blacklotus, are becoming more common. Such implants provide attackers with persistent access to devices and the ability to bypass higher-level OS and software security measures.
The CVE-2024-0762 vulnerability affects PHONIX Securecore firmware on Intel processors including Alderlake, Coffeelake, Cometlake, Icelake, Jasperlake, Kabylake, Meeteorlake, R. Aptorlake, Rocketlake, and Tigerlake.
Phoenix Technologies addressed the vulnerability in April 2024 following responsible disclosure, with Lenovo also releasing updates last month to patch the issue.
UEFI, a motherboard firmware replacing BIOS, initializes hardware and loads the OS via a boot manager during startup.
UEFI’s privileged status as the first code executed upon boot makes it a prime target for attackers seeking to implant rootkits and firmware compromises for persistent, undetected access.
Identified UEFI firmware vulnerabilities can thus pose significant supply chain risks due to their potential impact across multiple products and suppliers simultaneously.
Eclypsium stressed the critical importance of UEFI firmware security, given its pivotal role in modern devices and the wide-ranging control it grants attackers upon compromise.
These developments come on the heels of Eclypsium