Researchers from Binarly have revealed a series of vulnerabilities in the analysis code used in UEFI roving of various manufacturers. These vulnerabilities allow attackers to insert malicious code during loading by utilizing a specially designed image in the EFI System Partition section or an unwritten digital signature of a firmware update. The proposed attack method can bypass security mechanisms such as the Verified UEFI Secure Boot loading mechanism and hardware protections like Intel Boot Guard, AMD Hardware-Valided Boot, and Arm Trustzone Secure Boot.
The root cause of the problem lies in the firmware’s ability to display user-specified logos and utilize image analysis libraries at the firmware level without requiring privileges. Modern firmware includes code for analyzing BMP, GIF, JPEG, PCX, and TGA formats, which contain vulnerabilities that can lead to buffer overflow when analyzing erroneous data.
These vulnerabilities have been detected in firmware supplied by various equipment manufacturers (Intel, Acer, Lenovo) and firmware manufacturers (AMI, Insyde, Phoenix). Since the flawed code is present in the reference components provided by independent firmware suppliers and used as the foundation for firmware development by different equipment manufacturers, these vulnerabilities are not specific to certain suppliers but rather affect the entire ecosystem.
More details about the identified vulnerabilities will be revealed on December 6 at the Black Hat Europe 2023 conference. During the conference, a demonstration of an exploit that allows the execution of code with firmware privileges on X86 and ARM-based systems will also be presented. While the vulnerabilities were initially discovered in Lenovo firmware based on platforms from Insyde, AMI, and Phoenix, the vulnerability also extends to Intel and Acer firmware.