Endpoint Security , Hardware / Chip-level Security

Critical UEFI Flaw in Phoenix Firmware Hits Major PC Brands

Buffer Overflow Vulnerability Lets Attackers Control Devices
Critical UEFI Flaw in Phoenix Firmware Hits Major PC Brands
A flaw in the Phoenix Technologies SecureCore UEFI implementation could allow hackers to gain extreme persistence. (Image: Shutterstock)

A high-impact vulnerability in a common implementation of the firmware booting up desktop computers powered by Intel chips could allow attackers to obtain ongoing persistence, warn security researchers.

The flaw affects devices built by major manufacturers including Lenovo, Acer, Dell and HP and potentially affects hundreds of personal computer models, said digital supply chain security company Eclypsium.

See Also: OnDemand | Protecting Devices and Software from Next-Generation Cyberthreats

The flaw, tracked as CVE-2024-0762, is a buffer overflow vulnerability in the UEFI SecureCore implementation made by Phoenix Technologies. It has a score of 7.5 on the 10-point CVSS scale. The Silicon Valley company distributed a patch in April. Eclypsium identified the flaw and coordinated disclosure with Phoenix.

Infecting the Unified Extensible Firmware Interface layer of computers - the layer of computing that boots up a computer before the operating system takes over - is a holy grail for many hackers. Malware at that level can evade detection by antivirus applications and survive operating system reinstalls. Security researchers in 2022 found one UEFI bootkit being sold on hacking forums for $5,000 (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).

The flaw detected by Eclypsium is tied to an unsafe variable in the Trusted Platform Module configuration. "To be clear, this vulnerability lies in the UEFI code handling TPM configuration -in other words, it doesn't matter if you have a security chip like a TPM if the underlying code is flawed," the company said in a Thursday blog.

The flaw involves a call to the GetVariable service. The issue arises with how the TCG2_CONFIGURATION argument calls GetVariable twice "without adequate checks between." That creates an opening to modify the variable, setting it to a value that returns a "buffer too small" message. The second call, set top the length of the modified variable, would succeed "and overflow the buffer, leading to a stack buffer overflow."

Eclypsium initially identified the issue on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen. Phoenix Technologies later acknowledged that the same flaw exists in multiple versions of its SecureCore firmware used across Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake and TigerLake.

Individual computer owners should refer to relevant vendors for firmware updates, such as Lenovo's published update.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.