AMD firmware for LogoFAIL, which lets hacker get into any PC via boot logo, rolling out | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

More and more AMD motherboard vendor partners are starting to roll out firmware updates that fix the ubiquitous LogoFAIL vulnerability. For example, Gigabyte”s mid-range B550 offering, the Aorus Elite V2 recently received the update towards the end of last month.

The firmware notes say that the firmware has updated the AGESA (AMD Generic Encapsulated Software Architecture) to version 1.2.0.B, and also add that the LogoFAIL UEFI vulnerability has been patched.

B550 Aorus Elite V2

Firmware version: FF

  • Update AMD AGESA V2 1.2.0.B
  • Fix AMD processor vulnerabilities security
  • Addresses potential UEFI vulnerabilities. (LogoFAIL)

Other vendors like Asus, MSI, and ASRock, among others, are also beginning to roll out the patched firmware. It seems AMD, as always, is a bit late to the party as Intel has already begun to release patched firmware updates by December 2023 itself.

In case you are wondering what LogoFAIL is, it is a security flaw discovered by the Binarly research team back in December last year. The flaw is simple yet a very effective one as threat actors could potentially abuse the availability of customizable image parsing options during the boot process. The vulnerability is tracked under CVE-2023-40238.

Binarly explains:

We found that certain vendors such as Lenovo, Intel and Acer allow users – and so attackers – to customize the logo shown during boot. It could be simply done via placing it into ESP (EFI System Partition) and adding or modifying certain variables in NVRAM, then rebooting the system. Administrator privileges are enough to perform this. In this case, hardware-based Verified Boot security features such as Intel Boot Guard or AMD Hardware-Validated Boot won’t protect against it since the logo is read outside the range covered by these.

Binarly also did additional research about the vulnerability and found many image parsers, across multiple BIOS vendors like Insyde, AMI, and Phnoenix, have gone up over time, thus increasing the risk further:

… our research team looked at some of the vulnerabilities discovered by the Binarly Transparency Platform and found that the number of image parsers have significantly increased over the years.

  • Insyde-based firmware usually but not always contains parsers for BMP, GIF, JPEG, PCX, PNG, and TGA. Those are stored in separate modules called, e.g., BmpDecoderDxe
  • AMI-based firmware contains image parsers in a DXE module called AMITSE. Every firmware we analyzed contained between a single BMP parser (e.g., Dell firmware) to a set of parsers for BMP, PNG, JPEG, and GIF (e.g., Lenovo).
  • Phoenix-based firmware stores its parsers in a module called SystemImageDecoderDxe, and it can usually parse BMP, GIF, and JPEG.

You can find more technical details on Binarly”s blog post.

Thanks for the tip, Eternal Tempest!!


Click Here For The Original Story From This Source.


National Cyber Security