LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

AleksandarK · Dec 7, 2023

Binarly's research team has discovered a collection of security vulnerabilities known as "LogoFAIL", which affects image parsing components within the UEFI firmware of a wide array of devices. These vulnerabilities are especially concerning because they are embedded within the reference code provided by Independent BIOS Vendors (IBVs), affecting not just a single vendor but a broad spectrum of devices that utilize this code. LogoFAIL is particularly dangerous because it allows attackers to bypass crucial security measures such as Secure Boot and Intel Boot Guard by executing a payload during the device's boot process. This is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates. This method can compromise system security deeply without altering the runtime integrity of the bootloader or firmware, unlike other threats such as BlackLotus or BootHole.

The potential reach of LogoFAIL vulnerability is rather wide, with millions of consumer and enterprise-grade devices from various vendors, including ones like Intel, Acer, and Lenovo, being vulnerable. The exact list of affected devices is still undetermined, but the prevalence of the IBVs' code across numerous devices suggests that the impact could be widespread, with both Windows and Linux users being affected. Only PCs that don't allow any logotype displayed in the UEFI during the boot process are safe. Apple's Macs are secure as they don't allow any add-on images during boot, and some OEM prebuilt PCs, like the ones from Dell, don't allow images in the UEFI. Some makers like Lenovo, AMI, and Insyde have already published notes about cautiously uploading custom images to the UEFI and providing BIOS updates. Consumers and enterprises must check with their OEMs and IBVs for BIOS microcode updates to patch against this vulnerability.

Below, you can see the proof of concept in a YouTube video.

View at TechPowerUp Main Site | Source

chrcoluk · Dec 7, 2023

Its a test fail for me, it required the user to grant UAC permission and to manually run the payload.

They need to show it working as a drive by in a restricted permission browser to get my attention.

phanbuey · Dec 7, 2023

chrcoluk said:
Its a test fail for me, it required the user to grant UAC permission and to manually run the payload.

They need to show it working as a drive by in a restricted permission browser to get my attention.

Typically they combine exploits to deliver them on a system - i.e. EternalBlue was used to run wannaCry on target systems and then it spread like wildfire.

So there would be another remote code exploit used to run this process on the machine to then gain full access to the system.

Ferrum Master · Dec 7, 2023

I suggest putting read only jumper for BIOS at certain stage and call it a day.

unwind-protect · Dec 7, 2023

Ferrum Master said:
I suggest putting read only jumper for BIOS at certain stage and call it a day.

The broken code is in the firmware, but to trigger it you only need to modify the uEFI partition, which is not requiring a flash.

_JP_ · Dec 7, 2023

But modding an image of my <favorite thing> when it boots for 3 seconds was the coolest thing about UEFI! I could show it off, briefly!

Does this mean that there will finally be less bloat and more functionality, boarder hardware support will be a thing?

TheoneandonlyMrK · Dec 7, 2023

You know I noticed that image change last bios update too, and that happens often, ,, not.
I'll be monitoring closely, hopefully, heuristic analysis of Windows Defender will gain skills against this given time and effort.

chrcoluk · Dec 7, 2023

phanbuey said:
Typically they combine exploits to deliver them on a system - i.e. EternalBlue was used to run wannaCry on target systems and then it spread like wildfire.

So there would be another remote code exploit used to run this process on the machine to then gain full access to the system.

Indeed, in that case EternalBlue was the real danger. In this case the "other remote code exploit" is what I would be worried about.

swaaye · Dec 7, 2023

I thought Secure Boot was cracked like 10 years ago. Which actually would be not long after it first appeared lol.

We better just go back to the old school BIOS. Just had that sketchy boot sector virus protection that you always left off.

R-T-B · Dec 7, 2023

Ferrum Master said:
I suggest putting read only jumper for BIOS at certain stage and call it a day.

Yeah not too worried about this here. If someone is able to flash your boot logo of course they can cause mischief, what happened to not getting that plague infested in the first place?

swaaye said:
I thought Secure Boot was cracked like 10 years ago. Which actually would be not long after it first appeared lol.

Nah, not really. Secure boot has had a flaw here and there but overall works if some minion from the deepweb doesn't literally rewrite your firmware while you sleep. In which case, invest in a lock, please.

user556 · Dec 7, 2023

So for those that don't have a UEFI partition, it won't work?

R-T-B · Dec 8, 2023

user556 said:
So for those that don't have a UEFI partition, it won't work?

It'll work on any UEFI PC flashed with a malicious logo. The partition scheme has nothing to do with it. But really, malware doesn't tend to mess with your bios logo to date and I don't really see that changing...

user556 · Dec 8, 2023

Can't say I've ever tried flashing the BIOS with the OS running. I've always done that within the BIOS menus using a FAT32 USB drive. It must be quite the feat for malware to achieve over the Internet.

P4-630 · Dec 8, 2023

user556 said:
Can't say I've ever tried flashing the BIOS with the OS running.

I did several times with an HP laptop.
The firmware updater was made for it in this case.

user556 · Dec 8, 2023

No laptops here. All assembled generic PC parts in a tower.

unwind-protect · Dec 8, 2023

user556 said:
Can't say I've ever tried flashing the BIOS with the OS running. I've always done that within the BIOS menus using a FAT32 USB drive. It must be quite the feat for malware to achieve over the Internet.

Again, you don't have to flash the BIOS to hit this problem. Modifying the uEFI partition does it, and you can write to it like to any other FAT partition.

user556 · Dec 8, 2023

I don't have such a partition.

ThrashZone · Dec 8, 2023

Hi,
Yeah okay mbr rules now :laugh:

R-T-B · Dec 8, 2023

unwind-protect said:
Again, you don't have to flash the BIOS to hit this problem. Modifying the uEFI partition does it, and you can write to it like to any other FAT partition.

Wait, what? That's not how I read this at all. Citation? Logos aren't loaded from the UEFI partition at all.

AleksandarK said:
This is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates.

Ah nvm found it. Is this TPU taking liberties though or is this just using some mechanism I was unaware of? Been a while since my firmware security days.

Still, it needs to write to your most likely unmounted boot partition at minimum. Which would be pretty odd.

xorbe · Dec 9, 2023

LogoFAIL or JailbreakWIN?

R-T-B · Dec 9, 2023

xorbe said:
LogoFAIL or JailbreakWIN?

If you're in a jail you aren't going to be able to parse a bootlogo like that.

System Name	Main PC
Processor	13700k
Motherboard	Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling	Noctua NH-D15S
Memory	32 Gig 3200CL14
Video Card(s)	3080 RTX FE 10G
Storage	1TB 980 PRO (OS, games), 2TB SN850X (games), 2TB DC P4600 (work), 2x 3TB WD Red, 2x 4TB WD Red
Display(s)	LG 27GL850
Case	Fractal Define R4
Audio Device(s)	Asus Xonar D2X
Power Supply	Antec HCG 750 Gold
Software	Windows 10 21H2 LTSC

Processor	13700KF Undervolted @ 5.6/ 5.5, 4.8Ghz Ring 200W PL1
Motherboard	MSI 690-I PRO
Cooling	Thermalright Peerless Assassin 120 w/ Arctic P12 Fans
Memory	48 GB DDR5 7600 MHZ CL36
Video Card(s)	RTX 4090 FE
Storage	2x 2TB WDC SN850, 1TB Samsung 960 prr
Display(s)	Alienware 32" 4k 240hz OLED
Case	SLIGER S620
Audio Device(s)	Yes
Power Supply	Corsair SF750
Mouse	Xlite V2
Keyboard	RoyalAxe
Software	Windows 11
Benchmark Scores	They're pretty good, nothing crazy.

System Name	HELLSTAR
Processor	AMD RYZEN 9 5950X
Motherboard	ASUS Strix X570-E
Cooling	2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory	4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s)	Sapphire Pulse RX 7900XTX + under waterblock through Kryosheet
Storage	Optane 900P[W11] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO[FEDORA]
Display(s)	Philips PHL BDM3270 + Acer XV242Y
Case	Lian Li O11 Dynamic EVO
Audio Device(s)	Sound Blaster ZxR
Power Supply	Fractal Design Newton R3 1000W
Mouse	Razer Basilisk
Keyboard	Razer BlackWidow V3 - Yellow Switch
Software	FEDORA 40

System Name	LenovoⓇ ThinkPad™ T430
Processor	IntelⓇ Core™ i5-3210M processor (2 cores, 2.50GHz, 3MB cache), Intel Turbo Boost™ 2.0 (3.10GHz), HT™
Motherboard	Lenovo 2344 (Mobile Intel QM77 Express Chipset)
Cooling	Single-pipe heatsink + Delta fan
Memory	2x 8GB KingstonⓇ HyperX™ Impact 2133MHz DDR3L SO-DIMM
Video Card(s)	Intel HD Graphics™ 4000 (GPU clk: 1100MHz, vRAM clk: 1066MHz)
Storage	SamsungⓇ 860 EVO mSATA (250GB) + 850 EVO (500GB) SATA
Display(s)	14.0" (355mm) HD (1366x768) color, anti-glare, LED backlight, 200 nits, 16:9 aspect ratio, 300:1 co
Case	ThinkPad Roll Cage (one-piece magnesium frame)
Audio Device(s)	HD Audio, RealtekⓇ ALC3202 codec, DolbyⓇ Advanced Audio™ v2 / stereo speakers, 1W x 2
Power Supply	ThinkPad 65W AC Adapter + ThinkPad Battery 70++ (9-cell)
Mouse	TrackPointⓇ pointing device + UltraNav™, wide touchpad below keyboard + ThinkLight™
Keyboard	6-row, 84-key, ThinkVantage button, spill-resistant, multimedia Fn keys, LED backlight (PT Layout)
Software	MicrosoftⓇ WindowsⓇ 10 x86-64 (22H2)

System Name	RyzenGtEvo/ Asus strix scar II
Processor	Amd R5 5900X/ Intel 8750H
Motherboard	Crosshair hero8 impact/Asus
Cooling	360EK extreme rad+ 360$EK slim all push, cpu ek suprim Gpu full cover all EK
Memory	Corsair Vengeance Rgb pro 3600cas14 16Gb in four sticks./16Gb/16GB
Video Card(s)	Powercolour RX7900XT Reference/Rtx 2060
Storage	Silicon power 2TB nvme/8Tb external/1Tb samsung Evo nvme 2Tb sata ssd/1Tb nvme
Display(s)	Samsung UAE28"850R 4k freesync.dell shiter
Case	Lianli 011 dynamic/strix scar2
Audio Device(s)	Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply	corsair 1200Hxi/Asus stock
Mouse	Roccat Kova/ Logitech G wireless
Keyboard	Roccat Aimo 120
VR HMD	Oculus rift
Software	Win 10 Pro
Benchmark Scores	8726 vega 3dmark timespy/ laptop Timespy 6506

System Name	Pioneer
Processor	Ryzen R9 7950X
Motherboard	GIGABYTE Aorus Elite X670 AX
Cooling	Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory	64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64 / Windows 11

System Name	AlderLake / Laptop
Processor	Intel i7 12700K P-Cores @ 5Ghz / Intel i3 7100U
Motherboard	Gigabyte Z690 Aorus Master / HP 83A3 (U3E1)
Cooling	Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans / Fan
Memory	32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36 / 8GB DDR4 HyperX CL13
Video Card(s)	MSI RTX 2070 Super Gaming X Trio / Intel HD620
Storage	Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 / Samsung 256GB M.2 SSD
Display(s)	23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy
Case	Be quiet! Silent Base 600 - Window / HP Pavilion
Audio Device(s)	Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply	Seasonic Focus Plus Gold 750W / Powerbrick
Mouse	Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless
Keyboard	RAPOO E9270P Black 5GHz wireless / HP backlit
Software	Windows 11 / Windows 10
Benchmark Scores	Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock

System Name	Ghetto Rigs z490\|x99\|Acer 17 Nitro 7840hs/ 5600c40-2x16/ 4060/ 1tb acer stock m.2/ 4tb sn850x
Processor	10900k w/Optimus Foundation \| 5930k w/Black Noctua D15
Motherboard	z490 Maximus XII Apex \| x99 Sabertooth
Cooling	oCool D5 res-combo/280 GTX/ Optimus Foundation/ gpu water block \| Blk D15
Memory	Trident-Z Royal 4000c16 2x16gb \| Trident-Z 3200c14 4x8gb
Video Card(s)	Titan Xp-water \| evga 980ti gaming-w/ air
Storage	970evo+500gb & sn850x 4tb \| 860 pro 256gb \| Acer m.2 1tb/ sn850x 4tb\| Many2.5" sata's ssd 3.5hdd's
Display(s)	1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
Case	D450 \| Cherry Entertainment center on Test bench
Audio Device(s)	Built in Realtek x2 with 2-Insignia 2.0 sound bars & 1-LG sound bar
Power Supply	EVGA 1000P2 with APC AX1500 \| 850P2 with CyberPower-GX1325U
Mouse	Redragon 901 Perdition x3
Keyboard	G710+x3
Software	Win-7 pro x3 and win-10 & 11pro x3
Benchmark Scores	Are in the benchmark section

System Name	msdos
Processor	8086
Motherboard	mainboard
Cooling	passive
Memory	640KB + 384KB extended
Video Card(s)	EGA
Storage	5.25"
Display(s)	80x25
Case	plastic
Audio Device(s)	modchip
Power Supply	45 watts
Mouse	serial
Keyboard	yes
Software	disk commander
Benchmark Scores	still running

LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

News Editor