Ruby
Dan GoodinIf you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.
It's 2023, and not only can malicious images still remotely execute malicious code on your devices, but they can do it at the UEFI level, during bootup, enabling invisible firmware bootkits. This new post-exploit attack, known as LogoFAIL, is mind-blowing. Amazing that an entire ecosystem comprising dozens of wealthy companies couldn't be bothered to fuzz the UEFIs they provide to billions of people. With a small amount of effort, this attack could have been closed off a decade ago.
Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient.
A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected.
Also, no CVEs.
ยฏ_(ใ)_/ยฏ
Lauren Weinstein@dangoodin I suspect we can count on most affected existing deployed machines never being patched for this. Firmware patches at that level are widely considered to be so risky that they are widely avoided, even for serious problems.
Ethan Black@dangoodin I know my @system76 uses Insyde firmware... my machine is older but I hope I get a fix ๐
System76 
@golemwire @dangoodin since you can't change the logo in firmware this wouldn't effect your system.
@system76 @dangoodin This is great to know โ thanks!
Roger A. Grimes@dangoodin Great article (as usual). Although there have been a handful or two of similar UEFI vulns in the past and none of them have been widely exploited. Does this one seem different?
kapsiR@dangoodin @matrosov Lenovo has published CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, CVE-2023-40238
Stahlbrandt@dangoodin @matrosov Interesting, thanks for sharing this article. Side note: noticed ars technica is driving cookies from 143 different partners.
Joseph Elfelt@dangoodin @matrosov But wait... It's even worse. I have a PC with an ASUS Z170-A motherboard. It boots using UEFI.
This link:
https://www.asus.com/us/supportonly/z170-a/helpdesk_bios/
says the last time the BIOS was updated for that motherboard was 2018.
Yes, this is an older motherboard but it works fine and does everything I need. Sure be nice if ASUS fixed such a serious problem for their older products.
Delta Wye@mappingsupport @dangoodin @matrosov Same problem Iโm expecting with #MSI. Similar age motherboard. Probably tons of people still have them.
kira :3@DeltaWye @mappingsupport @dangoodin @matrosov my main x86 machine has a mobo from ~2014 lmao, my server's board is from ~2016 and my laptop is from 2017, i will be incredibly pissed if they don't get patches
Fell@dangoodin @matrosov I don't see how this could be exploited remotely. As far as I understand, a malicious image file has to make it's way onto the EFI system partition first, or did I miss something?
Joseph@fell @dangoodin @matrosov i think that's what Dan meant about a post exploit attack. You'd need to be infected/hacked via another method first, which would then establish persistence/privilege escalation via LogoFail.
Or alternatively have someone with physical access, like it says in the article
Hans-Cees ๐๐ฒ๐ฆ๐ฆฆ๐๐ฆ๐๐
๐ธ๐ณ๐ต๐พ๐น๐ฌ๐น๐ฒ@fell @dangoodin @matrosov hai, this is h.acker, please put this image here on your disk and It will enhance your computer greatly.
Carey@hanscees @fell @dangoodin @matrosov It doesn't even have to be a complete lie, just "put this image here" and it actually will display a picture of, idk, Harry Styles when you turn your computer on.
@carey @hanscees @dangoodin @matrosov Microsoft was wise when they decided they're not going to let Windows users access the ESP.
@fell @carey @hanscees @matrosov
Wait, what's the basis for saying Windows users can't access the ESP?
https://duckduckgo.com/?t=ffab&q=how+to+access+efi+partition+in+windows
@dangoodin @carey @hanscees @matrosov The basis is that I never saw it when I clicked on "This PC". Is it possible?
@fell @dangoodin @carey @matrosov I really dont know at this point. But if you can get a user to execute something "click here and this pic becomes your background" you can run a script and So on.
Clever people Will find a way probably
Clever people Will find a way probably
William D. Jones@dangoodin @matrosov
@gsuberland
8kB (IBM PC BIOS size) should've been enough for anyone :D.
Rairii@dangoodin "mind-blowing"
to me, it's just par for the cause :)
really not surprised about vulnerable graphics parsers being used with potentially attacker controlled data
Dan Herbert@dangoodin @matrosov The fact that these seem to have been caught by fuzz tests makes me feel like sometimes there needs to be legal consequences for not doing the bare minimum in software security when it's as critical as EFI. This sounds like negligence.
LymanG@dangoodin @matrosov holy shitballs
svenfoo@dangoodin @matrosov
Wait, so everything that goes into the secure firmware needs to be signed. Everything except the logo image? I mean, seriously??
Someone please tell me I got this wrong, because it seems like an utterly stupid thing to except the logo image from the signature.
AI6YR Ben@dangoodin @matrosov "hacked by malicious logo images" ?!?!?! Arghhh
Kevin Mirsky 
@dangoodin oh man, pure speculation but this strikes me as a trick *someone* had to have in their back pocket.
John LuskMultiple someones I'd guess.
Third spruce tree on the left@dangoodin @matrosov uh. ok, so.. this article and the actual blackhat summary https://www.blackhat.com/eu-23/briefings/schedule/index.html#logofail-security-implications-of-image-parsing-during-system-boot-35042
are great and all, but `is this exploit applicable to ME mr/ms end user`?
Lets assume I can google what UEFI is.
- what UEFI enabled devices are potentially exploitable? ones after <year>? UEFI 1.x? 2.0? 2.1? or all of them back to when UEFI was introduced in the late 90s as EFI or wut? A: seems like *all of em*.
- more importantly if I DONT CUSTOMIZE my bootup logo, do I need to care?
Charo del Genio@dangoodin @matrosov the links within the article are dead. It looks like Phoenix and Insyde removed their respective pages about it. In fact, even https://www.cve.org/CVERecord?id=CVE-2023-5058 shows no information about it.
I don't understand what's going on... ๐
I don't understand what's going on... ๐
kat ๐ป@dangoodin Oh, ffs.
Sir David Nielsen@dangoodin @matrosov @lisamelton I literally cannot keep up with the stream of serious security issues at any level of computers anymore.
Will we ever get good news?
@DavidNielsen @dangoodin @matrosov @lisamelton Same. My family is at the end of our collective ropes. Donโt do anything sensitive on a PC. Full stop.
Ed Maste@dangoodin @matrosov what limits this to Windows and Linux?
@dangoodin @matrosov it explains why Windows and Linux are affected, and why macOS and smartphones aren't, but doesn't touch on OSes outside of those
@dangoodin @matrosov I think the answer is "nothing limits #LogoFAIL to Windows and Linux. Anyone with UEFI firmware should look for an update from their vendor."
Bob Lord ๐ @matrosov @dangoodin What are the CVEs for those defects? ๐๐ป
Kevin Skoglund 
From the bottom of the article:
LogoFAIL vulnerabilities are tracked under the following designations:
CVE-2023-40238
CVE-2023-5058
CVE-2023-39538
CVE-2023-39539
CVE-2023-40238
Farce Majeure
Kevin Karhan 
@dangoodin @matrosov Why am I not surprised?
#UEFI is a mess and #unfixable #bloatware!
Pxtl@dangoodin @matrosov so what I'm gathering is that all the PITA effort spent locking down the boot system and replacing BIOS so we barely even control our own devices was completely goddamned pointless anyways.
Lisa Lorenzin KR4LFE (she/her)
Paul Asadoorian@llorenzin Heh, yep, this is a thing. Back in the days of Netbooks and instant boot computers they used flaws in the BIOS logo image processing (I can't find the reference though, I will look)
@paulasadoorian The more things change... ๐
ฤธurth
cslinuxboy@dangoodin @matrosov You know darn well the #NSA has known about this for many years and kept quiet about it so they could exploit it.
Dan
Gourd@dangoodin (*checks multiple PCs and mobos released this year for BIOS updates from multiple vendors*)
yeah I'm not seeing anything
Lamp@dangoodin @kkarhan @matrosov if u can change the logo u can just as well change the boot loader no??
@dangoodin are device manufacturers actually pushing out updates for this or are we all just gonna be hanging around for our various boards to get some random firmware update within the next 8 months that doesn't say whether it actually fixes this
Speed demon ๐ช๐บ ๐ณ๐ด๐บ๐ฆ๐ต๐ธ@dangoodin @matrosov My eyes glazed over half-way through. Did I understand correctly that this does nothing if "bios" (I know) is set to NOT display logo on boot-up. I always hav my machines set up that way.
Steve Hersey@dangoodin @matrosov
And it's all down to a stupid, pointless, totally functionless LOGO IMAGE handler that merely plays to corporate vanity.
Criminally insane.
And it's all down to a stupid, pointless, totally functionless LOGO IMAGE handler that merely plays to corporate vanity.
Criminally insane.
Andy Mouse~ Oh the value of open source ~
Imperor ๐ฒ๐ฎSo for a remote attack, the attacker needs root/admin access on the system. While not fool proof, if you don't use an admin account as your regular account, you're a little bit better off now (and in general) than if you are always using root/admin.
Mind boggling and yet not surprising at all, given the state of ... well... just about everything and anything.
BakerPoliticalWatcher004
Chris 
Cool, cool. I guess it's time to limber up the old Trash 80.
@dangoodin That is some scary stuff. I have a couple of asus computers, and I didn't see any news from them about it.