A recently discovered high-severity vulnerability in Phoenix Technologies' SecureCore UEFI firmware has raised concerns across the cybersecurity landscape. The vulnerability, tracked as CVE-2024-0762 and dubbed "UEFIcanhazbufferoverflow," potentially affects hundreds of PC and server models that use Intel processors.
Eclypsium, the cybersecurity firm that discovered the vulnerability, reports that it "allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime." With a CVSS score of 7.5, this vulnerability poses a significant threat to affected systems.
The vulnerability stems from an unsafe variable in the Trusted Platform Module (TPM) configuration. Eclypsium's research explains: "There are two calls to GetVariable with the 'TCG2_CONFIGURATION' argument and the same DataSize, without adequate checks in between. If an attacker can modify the value of the 'TCG2_CONFIGURATION' UEFI variable at system run time, they can set it to a value long enough so that the first call to GetVariable returns EFI_BUFFER_TOO_SMALL, and the data_size is set to the length of the UEFI variable. The second call would succeed and overflow the buffer, leading to a stack buffer overflow."
Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, emphasizes the widespread impact, saying: "This includes devices from multiple OEMs using Intel Core processors such as AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Due to the broad use of Phoenix SecureCore UEFI firmware, the vulnerability's reach is extensive, impacting potentially a significant number of products globally."
The vulnerability affects multiple versions of Phoenix SecureCore for various Intel platforms, ranging from Kaby Lake to Meteor Lake. For instance, Phoenix SecureCore for Intel Kaby Lake is affected from version 4.0.1.1 to 4.0.1.997, while for Intel Meteor Lake, versions 4.5.1.1 to 4.5.1.14 are vulnerable.
John Gallagher, Vice President at Viakoo Labs, provides context on the vulnerability's specificity, saying: "This vulnerability is specific to one BIOS provider, Phoenix (not AMI or Insyde, other major BIOS providers); however, it broadly impacts systems based on Intel CPUs." He adds, "It is similar to LogoFail in how it attacks in the earliest stage of system bootup and provides access to all parts of the system, but different in the scale and maturity of the exploit."
The discovery of this vulnerability highlights the critical role of UEFI firmware in system security. Eclypsium's report states: "This type of low-level exploitation is typical of firmware backdoors (e.g. BlackLotus) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in the operating system and software layers."
To mitigate this vulnerability, affected users and organizations should apply firmware updates as they become available from their device manufacturers. Lenovo has already published relevant BIOS updates, and other vendors are expected to follow suit.
The discovery of this vulnerability also underscores the growing role of AI and machine learning in cybersecurity. "AI excels at identifying new vulnerabilities by analyzing large volumes of binary data efficiently," Guenther said. "For patching, AI can assist by recommending code changes and automating testing processes to ensure patches do not introduce new issues."
As the cybersecurity landscape continues to evolve, vulnerabilities like UEFIcanhazbufferoverflow serve as a reminder of the ongoing need for vigilance, advanced detection methods, and prompt patching in protecting our digital infrastructure.
Follow SecureWorld News for more stories related to cybersecurity.
