Cybersecurity researchers have recently uncovered a UEFI vulnerability in the Phoenix SecureCore UEFI firmware, which affects a variety of Intel Core desktop and mobile processors. This now-patched vulnerability, identified as CVE-2024-0762 with a CVSS score of 7.5, has been termed “UEFIcanhazbufferoverflow.” It involves a buffer overflow caused by an unsafe variable in the Trusted Platform Module (TPM) configuration, potentially allowing malicious code execution.

Details of the Vulnerability

According to Eclypsium, a supply chain security firm, the flaw enables local attackers to escalate privileges and execute code within the UEFI firmware during runtime. This type of low-level exploitation is common in firmware backdoors, such as BlackLotus, which are increasingly prevalent. Such implants allow attackers to maintain persistent control over a device, often bypassing higher-level security measures in the operating system and software layers.

UEFI Vulnerability: Response and Mitigation

Phoenix Technologies addressed this UEFI vulnerability in April 2024 following responsible disclosure. Additionally, Lenovo has released updates to fix the issue as of last month. The vulnerability impacts devices using Phoenix SecureCore firmware on various Intel processor families, including Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake.

The Significance of UEFI

UEFI (Unified Extensible Firmware Interface), which replaced BIOS, is critical firmware used during startup to initialize hardware components and load the operating system via the boot manager. Because UEFI is the first code executed with the highest privileges, it is an attractive target for threat actors looking to deploy bootkits and firmware implants. These can subvert security mechanisms and maintain persistence without detection.

Broader Implications

Vulnerabilities in UEFI firmware pose a significant supply chain risk, potentially affecting a wide range of products and vendors. UEFI firmware is highly valuable code on modern devices, and any compromise can grant attackers full control and persistence on the device. The discovery of this vulnerability underscores the importance of securing UEFI firmware to protect against such threats.

Recent Related Discoveries

This recent finding follows nearly a month after a similar unpatched buffer overflow flaw was disclosed in HP’s UEFI implementation, affecting the HP ProBook 11 EE G1, which reached end-of-life status in September 2020. Additionally, a software attack called TPM GPIO Reset was disclosed, which could be exploited by attackers to access secrets stored on disks by other operating systems or to undermine TPM-protected controls such as disk encryption or boot protections.

Conclusion

The discovery of the UEFI vulnerability highlights the critical need for robust security measures in UEFI firmware to prevent low-level exploits that can lead to severe security breaches. As UEFI is integral to the startup process and operates with the highest system privileges, securing it is paramount to ensuring overall device security.

Regular updates and patches from firmware developers and device manufacturers are essential to protect against these vulnerabilities and safeguard the integrity of our systems.

The sources for this piece include articles in The Hacker News and ThreatDown.

The post Researchers Uncover UEFI Vulnerability Affecting Intel CPUs appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/researchers-uncover-uefi-vulnerability-affecting-intel-cpus/