A new vulnerability in UEFI firmware threatens the security of a wide range of Intel chip families in a similar way to BlackLotus and others like it.
Security firm Eclypsium has just published its report of CVE-2024-0762 (CVSSv3: 7.5) after disclosing it to Phoenix Technologies, whose UEFI firmware has been affected. Phoenix Technologies offers UEFI/BIOS device firmware for Windows laptops, tablets, desktops and servers.
The researchers originally found the buffer overflow bug in Lenovo’s ThinkPad X1 Carbon 7th Gen and
Certain chips in the following lines may be affected:
- The Elzenmeer
- Coffee more
- Comet lake
- Ice lake
- Jasper Lake
- Kaby Lake
- Meteor lake
- Raptor Lake
- Rocket more
- Tiger lake
“Given that these Intel Core processors are used by a wide range of OEMs and ODMs, the same vulnerability could potentially affect a wide range of vendors and potentially hundreds of PC products that also use the Phoenix SecureCore UEFI firmware,” says Eclypsium in his message. .
The vulnerability resides in the Trusted Platform Module (TPM) configuration and centers around an insecure variable (TCG2_CONFIGURATION), exploitation of which can lead to a buffer overflow, escalation of privilege, and code execution.
The variable is configured differently on each platform. That configuration and the rights assigned to it determine the possibility and extent to which the vulnerability can be exploited.
Since CVE-2024-0762 resides in the code that handles the configuration of the TPM, simply having a TPM in a device, which is designed to increase its security and prevent unreliable boot processes from running, will not be enough are to prevent successful exploits.
Lenovo has already released patches for the vulnerability and a look at the advisory shows that a wide range of notebooks and ThinkPads are affected. Lenovo owners, take a look and repair if necessary.
Phoenix Technologies disclosed the vulnerability last month and said fixes were available as early as April.
“Phoenix Technologies strongly recommends that customers update their firmware to the latest version and contact their hardware vendor as soon as possible to avoid potential exploitation of this flaw,” the company said.
The Reg asked Intel for an explanation but did not immediately respond.
Similar to major threats from the past
UEFI exploits always tend to raise industry eyebrows, as they often allow silent backdoors into the lowest, most privileged levels of a system and exploits are notoriously difficult to detect.
Backdoors of yesteryear like BlackLotus, CosmicStrand, and MosaicRegressor are previous examples of UEFI flaws that made security professionals sweat. This bug, which Eclypsium called “UEFICanHazBufferOverflow” (terrible and won’t be repeated by us again), is being hyped as a finding of similar significance.
Eclypsium made the wise decision not to release proof-of-concept code, but explained that novice black hats could pull off a successful exploit if they properly spoofed calls to the GetVariable UEFI service.
It said: “There are two calls to GetVariable with the argument ‘TCG2_CONFIGURATION’ and the same DataSize, without adequate checks between them.
“If an attacker can change the value of the UEFI variable ‘TCG2_CONFIGURATION’ at system runtime, he can set it to a value long enough that the first call to GetVariable returns EFI_BUFFER_TOO_SMALL and the data_size is set to the length of the UEFI. The second call would succeed and overflow the buffer, leading to a stack buffer overflow.” ®