LogoFAIL is a set of vulnerabilities that affects different image analysis libraries used in UEFI
A few days ago, Binarly researchers revealed, via a blog post, a series of vulnerabilities in the image analysis code used in the firmware UEFI affecting Windows and Linux systems, both x86 and ARM-based devices. The vulnerabilities are called collectively LogoFAIL because they exist in UEFI image analyzers that display the manufacturer's logo when the system boots.
Vulnerability arises from injection of image files into EFI system partition (ESP), a critical component of the boot process. While the vulnerabilities do not directly affect the integrity of the runtime, they open the door to persistent attacks by allowing malware to be stored within the system.
About LogoFAIL
Binarly researchers They mention that the vulnerabilities were identified during the analysis of Lenovo firmware built on platforms from Insyde, AMI and Phoenix, but firmware from Intel and Acer were also mentioned as potentially vulnerable.
The problem of vulnerability is due to the fact that most PC manufacturers They use UEFI developed by a handful of companies Known as Independent BIOS Vendors (IBV) which allow computer manufacturers to customize the firmware, either to display their own logo and other branding elements on the computer screen during the initial boot phase.
Firmware Modern UEFI contains image parsers for images in various formats different (BMP, GIF, JPEG, PCX and TGA), which significantly expands the attack vector and therefore the possibility of a vulnerability slipping through. In fact, the Binarly team found 29 issues in the image parsers used in Insyde, AMI, and Phoenix firmware, of which 15 were exploitable for arbitrary code execution.
"This attack vector can give the attacker an advantage by bypassing most endpoint security solutions and delivering a stealthy firmware boot kit that will persist in an ESP partition or firmware capsule with a modified logo image,"
The vulnerability arises from the injection of specially crafted image files, which can provide local privileged access to the ESP partition to disable UEFI security features, modify the UEFI boot order and therefore allow an attacker to remotely access the system or allow an attacker to gain physical access from a target.
As such, These vulnerabilities can compromise the security of the entire system, rendering “sub-OS” security measures, such as any type of secure boot, ineffective, including Intel Boot Guard. This level of compromise means that attackers can gain deep control over affected systems.
"In some cases, the attacker can use the logo customization interface provided by the vendor to upload these malicious images."
This new risk raises a major concern for users and organizations They rely on devices from major manufacturers such as Intel, Acer, Lenovo, and UEFI firmware vendors such as AMI, Insyde, and Phoenix.
So far, it is difficult to determine the severity, as no public exploit has been published and some of the now public vulnerabilities have been rated differently by the Binarly researchers who discovered the LogoFAIL vulnerabilities.
The disclosure marks the first public demonstration of related attack surfaces with graphic image analyzers embedded in the UEFI system firmware since 2009, when researchers Rafal Wojtczuk and Alexander Tereshkin presented how a BMP image parser bug could be exploited for malware persistence.
Unlike BlackLotus or BootHole, it is worth noting that LogoFAIL does not break the integrity of the runtime by modifying the bootloader or firmware component.
Finally, if you are interested in knowing more about it, you can check the details in the following link