LogoFAIL – Critical UEFI Vulnerabilities Exposes Devices to Stealthy Malware Attack

UEFI vulnerabilities pose significant threats, enabling hackers to execute malicious code during system boot, bypass security measures, and establish persistent control. 

Exploiting these flaws allows attackers to compromise the entire system, leading to:

  • Unauthorized access
  • Data theft
  • The compromise system’s integrity

Cybersecurity researchers at the Binary research team recently discovered critical UEFI vulnerabilities that expose devices to stealthy malware attacks.

The security analysts have named this complete set of security flaws “LogoFAIL.”

Technical Analysis

LogoFAIL is a set of new security flaws found in image parsing libraries in system firmware during device boot. 

The impact of these flaws spans multiple vendors and ecosystems, especially affecting IBVs (Independent BIOS vendor) reference code. LogoFAIL affects both x86 and ARM devices, focusing on UEFI and IBV due to vulnerable image parsers.

Attacking Intel BIOS

LogoFAIL, initially found on Lenovo devices, with reported vulnerabilities under advisory BRLY-2023-006, started as a small research project. 

It became an industry-wide disclosure, discovering attack surfaces in image-parsing firmware components through fuzzing and static analysis with the efiXplorer plugin in IDA.

After the initial fuzzing, many crashes led to automated triaging with Binarly’s internal program analysis framework.

More vulnerabilities in the Insyde code were discovered and reported under advisory BRLY-2022-018.

Vulnerabilities in logo parsing enable attackers to store malicious images in EFI System Partition or unsigned firmware sections. 

Exploiting these during boot allows:-

  • Arbitrary execution
  • Bypassing Secure Boot
  • Hardware-based Verified Boot mechanisms

This vector enables a stealthy, persistent firmware bootkit, bypassing endpoint security solutions.

The LogoFAIL compromises system security, bypassing Secure Boot and Intel Boot Guard, providing deep control to attackers. 

Exploiting ESP partitions presents a new data-only exploitation approach through logo image modification, changing the perspective on ESP attack surfaces.

Unlike BlackLotus or BootHole, LogoFAIL avoids modifying bootloaders or firmware, ensuring runtime integrity. 

Exploiting with a modified boot logo triggers payload delivery after security measurements, allowing compromised signed UEFI components to break the secure boot without detection.

Hundreds of devices from Intel, Acer, Lenovo, and more are potentially vulnerable to LogoFAIL, affecting major IBVs like:-

  • AMI
  • Insyde
  • Phoenix

Regardless of hardware type (x86 or ARM), the impact extends to almost all devices powered by these vendors. The extensive security vulnerabilities reveal challenges in product security maturity and code quality within IBVs’ reference code, calling for a more proactive and comprehensive approach.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.