LogoFAIL vulnerabilities impact vast majority of devices
A set of major vulnerabilities that impact nearly all devices allows hackers to bypass most modern security checks through the logo that shows up when the computer starts.
Discovered by the cybersecurity firm Binarly and presented at Black Hat Europe on Wednesday, LogoFAIL is a set of vulnerabilities that impact all x86 and ARM-based devices, like Windows and Linux, through the software that shows the manufacturer logo at the start of a bootup process.
LogoFAIL impacts some of the biggest companies, likely affecting some 95 percent of consumer devices on the market today, said Alex Matrosov, CEO at Binarly. The vulnerabilities impact the biggest vendors that make the BIOS startup software — AMI, Insyde Software and Phoenix Technologies — and consequently impact the hundreds of both consumer and enterprise-level machines like Lenovo, Intel, and Acer that use that software.
“These three companies [AMI, Insyde Software, and Phoenix Technologies] serve 95 percent of all compute in the world. So basically, if you pick any device, most likely it’s been impacted by LogoFAIL,” Matrosov said.
Whenever a computer starts, a program called an image parser loads a logo from a manufacturer like Lenovo or Dell. There are multiple types of image parsers to load different types of images, like PNGs, GIFs, BMPs or JPEGs, and they are rife with vulnerabilities, Matrosov said. “Why we need so many, I don’t know,” he said.
A hacker only needs to change the image file to a malicious one in order to utilize the flaw to execute arbitrary code.
In conjunction with Binarly’s release of its research findings Wednesday, several affected manufacturers rolled out patches to address the vulnerabilities.
What’s alarming about this bug is that since it’s present so early in the bootup process, a malicious hacker can bypass security protections that ensure the software that is about to run is secure and unaltered. The vulnerability allows a malicious hacker to execute code with little to no restrictions before most modern security programs — like antivirus or endpoint detection — can detect it.
In order to take advantage of the vulnerability, hackers do need to gain local administrator access through something like a browser exploit, in order to add the image to the right partition and reboot the system with the new malicious logo. Gaining the necessary access would not present a major challenge to a skilled attacker.
“These vulnerabilities can compromise the entire system’s security, rendering ‘below-the-OS’ security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of compromise means attackers can gain deep control over the affected systems,” a report describing the vulnerabilities notes.
The disclosure of the vulnerabilities ran into trouble this week when one of the vendors, Phoenix Technologies, broke an embargo and failed to give credit to the discoverers of the vulnerability.
On Nov. 28, the company sent a release that said “Phoenix Technologies has detected a serious flaw” in its software. The company did not provide a patch for the vulnerability, but instead gave an overview of the bug and what it could do.
“This is a massive disclosure and basically not the right thing to do,” Matrosov said, adding that addressing the vulnerability required major coordination between all the impacted companies.
How Phoenix treated the security researchers that provided a free service, and the other vendors that are impacted by the vulnerability and need to address it, raises major concerns about how the company addresses vulnerabilities, Matrosov said.
After breaking embargo, Phoenix removed the security notification from its website and has not added it back since the embargo passed.
In a statement, the company said they “did not break an embargo but inadvertently published some outline details regarding the LogoFAIL problem which was first raised by Binarly to industry security participants last summer. Once this mistake was identified, Phoenix Technologies pulled down the page.”
Asked about the lack of credit after the statement that broke the embargo, the company said that “as Binarly published the details in full regarding the LogoFail vulnerability at a Blackhat conference in London on 6 December, Phoenix only published a precis.”
A vulnerability with this level of impact requires coordination between a massive number of parties. Matrosov said his firm worked with the CERT Coordination Center, as it’s “impossible to coordinate like 50+ different vendors for this disclosure.” Matrosov said he wishes that there was a central organization to handle the disclosure communication from entities like CERT/CC, as they can work with vendors who often don’t have the broader communities in mind.
“They basically treat the disclosures as a trap, not as a gift. But actually it is a gift, because usually you pay a lot of money for assessment from third parties,” Matrosov said. “If somebody else found a vulnerability and [gave] you all the details, this is a gift. You need to go and fix it because it benefits your customers.”
