LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

AleksandarK · Dec 7, 2023

Binarly's research team has discovered a collection of security vulnerabilities known as "LogoFAIL", which affects image parsing components within the UEFI firmware of a wide array of devices. These vulnerabilities are especially concerning because they are embedded within the reference code provided by Independent BIOS Vendors (IBVs), affecting not just a single vendor but a broad spectrum of devices that utilize this code. LogoFAIL is particularly dangerous because it allows attackers to bypass crucial security measures such as Secure Boot and Intel Boot Guard by executing a payload during the device's boot process. This is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates. This method can compromise system security deeply without altering the runtime integrity of the bootloader or firmware, unlike other threats such as BlackLotus or BootHole.

The potential reach of LogoFAIL vulnerability is rather wide, with millions of consumer and enterprise-grade devices from various vendors, including ones like Intel, Acer, and Lenovo, being vulnerable. The exact list of affected devices is still undetermined, but the prevalence of the IBVs' code across numerous devices suggests that the impact could be widespread, with both Windows and Linux users being affected. Only PCs that don't allow any logotype displayed in the UEFI during the boot process are safe. Apple's Macs are secure as they don't allow any add-on images during boot, and some OEM prebuilt PCs, like the ones from Dell, don't allow images in the UEFI. Some makers like Lenovo, AMI, and Insyde have already published notes about cautiously uploading custom images to the UEFI and providing BIOS updates. Consumers and enterprises must check with their OEMs and IBVs for BIOS microcode updates to patch against this vulnerability.

Below, you can see the proof of concept in a YouTube video.

View at TechPowerUp Main Site | Source

chrcoluk · Dec 7, 2023

Its a test fail for me, it required the user to grant UAC permission and to manually run the payload.

They need to show it working as a drive by in a restricted permission browser to get my attention.

phanbuey · Dec 7, 2023

chrcoluk said:
Its a test fail for me, it required the user to grant UAC permission and to manually run the payload.

They need to show it working as a drive by in a restricted permission browser to get my attention.

Typically they combine exploits to deliver them on a system - i.e. EternalBlue was used to run wannaCry on target systems and then it spread like wildfire.

So there would be another remote code exploit used to run this process on the machine to then gain full access to the system.

Ferrum Master · Dec 7, 2023

I suggest putting read only jumper for BIOS at certain stage and call it a day.

unwind-protect · Dec 7, 2023

Ferrum Master said:
I suggest putting read only jumper for BIOS at certain stage and call it a day.

The broken code is in the firmware, but to trigger it you only need to modify the uEFI partition, which is not requiring a flash.

_JP_ · Dec 7, 2023

But modding an image of my <favorite thing> when it boots for 3 seconds was the coolest thing about UEFI! I could show it off, briefly!

Does this mean that there will finally be less bloat and more functionality, boarder hardware support will be a thing?

TheoneandonlyMrK · Dec 7, 2023

You know I noticed that image change last bios update too, and that happens often, ,, not.
I'll be monitoring closely, hopefully, heuristic analysis of Windows Defender will gain skills against this given time and effort.

chrcoluk · Dec 7, 2023

phanbuey said:
Typically they combine exploits to deliver them on a system - i.e. EternalBlue was used to run wannaCry on target systems and then it spread like wildfire.

So there would be another remote code exploit used to run this process on the machine to then gain full access to the system.

Indeed, in that case EternalBlue was the real danger. In this case the "other remote code exploit" is what I would be worried about.

swaaye · Dec 7, 2023

I thought Secure Boot was cracked like 10 years ago. Which actually would be not long after it first appeared lol.

We better just go back to the old school BIOS. Just had that sketchy boot sector virus protection that you always left off.

R-T-B · Dec 7, 2023

Ferrum Master said:
I suggest putting read only jumper for BIOS at certain stage and call it a day.

Yeah not too worried about this here. If someone is able to flash your boot logo of course they can cause mischief, what happened to not getting that plague infested in the first place?

swaaye said:
I thought Secure Boot was cracked like 10 years ago. Which actually would be not long after it first appeared lol.

Nah, not really. Secure boot has had a flaw here and there but overall works if some minion from the deepweb doesn't literally rewrite your firmware while you sleep. In which case, invest in a lock, please.

user556 · Dec 7, 2023

So for those that don't have a UEFI partition, it won't work?

R-T-B · Dec 8, 2023

user556 said:
So for those that don't have a UEFI partition, it won't work?

It'll work on any UEFI PC flashed with a malicious logo. The partition scheme has nothing to do with it. But really, malware doesn't tend to mess with your bios logo to date and I don't really see that changing...

user556 · Dec 8, 2023

Can't say I've ever tried flashing the BIOS with the OS running. I've always done that within the BIOS menus using a FAT32 USB drive. It must be quite the feat for malware to achieve over the Internet.

P4-630 · Dec 8, 2023

user556 said:
Can't say I've ever tried flashing the BIOS with the OS running.

I did several times with an HP laptop.
The firmware updater was made for it in this case.

user556 · Dec 8, 2023

No laptops here. All assembled generic PC parts in a tower.

unwind-protect · Dec 8, 2023

user556 said:
Can't say I've ever tried flashing the BIOS with the OS running. I've always done that within the BIOS menus using a FAT32 USB drive. It must be quite the feat for malware to achieve over the Internet.

Again, you don't have to flash the BIOS to hit this problem. Modifying the uEFI partition does it, and you can write to it like to any other FAT partition.

user556 · Dec 8, 2023

I don't have such a partition.

ThrashZone · Dec 8, 2023

Hi,
Yeah okay mbr rules now :laugh:

R-T-B · Dec 8, 2023

unwind-protect said:
Again, you don't have to flash the BIOS to hit this problem. Modifying the uEFI partition does it, and you can write to it like to any other FAT partition.

Wait, what? That's not how I read this at all. Citation? Logos aren't loaded from the UEFI partition at all.

AleksandarK said:
This is achieved by storing malicious images on the EFI System Partition or within unsigned sections of firmware updates.

Ah nvm found it. Is this TPU taking liberties though or is this just using some mechanism I was unaware of? Been a while since my firmware security days.

Still, it needs to write to your most likely unmounted boot partition at minimum. Which would be pretty odd.

xorbe · Dec 9, 2023

LogoFAIL or JailbreakWIN?

R-T-B · Dec 9, 2023

xorbe said:
LogoFAIL or JailbreakWIN?

If you're in a jail you aren't going to be able to parse a bootlogo like that.

System Name	Main PC
Processor	13700k
Motherboard	Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling	Noctua NH-D15S
Memory	32 Gig 3200CL14
Video Card(s)	4080 RTX SUPER FE 16G
Storage	1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s)	LG 27GL850
Case	Fractal Define R4
Audio Device(s)	Soundblaster AE-9
Power Supply	Antec HCG 750 Gold
Software	Windows 10 21H2 LTSC

System Name	stress-less
Processor	9800X3D @ 5.42GHZ
Motherboard	MSI PRO B650M-A Wifi
Cooling	Thermalright Phantom Spirit EVO
Memory	64GB DDR5 6600 1:2 CL36, FCLK 2200
Video Card(s)	RTX 4090 FE
Storage	2TB WD SN850, 4TB WD SN850X
Display(s)	Alienware 32" 4k 240hz OLED
Case	Jonsbo Z20
Audio Device(s)	Yes
Power Supply	Corsair SF750
Mouse	DeathadderV2 X Hyperspeed
Keyboard	65% HE Keyboard
Software	Windows 11
Benchmark Scores	They're pretty good, nothing crazy.

System Name	HELLSTAR
Processor	AMD RYZEN 9 5950X
Motherboard	ASUS Strix X570-E
Cooling	2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory	4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s)	Sapphire Pulse RX 7900XTX. Water block. Crossflashed.
Storage	Optane 900P[Fedora] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO+SN560 1TB(W11)
Display(s)	Philips PHL BDM3270 + Acer XV242Y
Case	Lian Li O11 Dynamic EVO
Audio Device(s)	SMSL RAW-MDA1 DAC
Power Supply	Fractal Design Newton R3 1000W
Mouse	Razer Basilisk
Keyboard	Razer BlackWidow V3 - Yellow Switch
Software	FEDORA 41

System Name	LenovoⓇ ThinkPad™ T430
Processor	IntelⓇ Core™ i5-3210M processor (2 cores, 2.50GHz, 3MB cache), Intel Turbo Boost™ 2.0 (3.10GHz), HT™
Motherboard	Lenovo 2344 (Mobile Intel QM77 Express Chipset)
Cooling	Single-pipe heatsink + Delta fan
Memory	2x 8GB KingstonⓇ HyperX™ Impact 2133MHz DDR3L SO-DIMM
Video Card(s)	Intel HD Graphics™ 4000 (GPU clk: 1100MHz, vRAM clk: 1066MHz)
Storage	SamsungⓇ 860 EVO mSATA (250GB) + 850 EVO (500GB) SATA
Display(s)	14.0" (355mm) HD (1366x768) color, anti-glare, LED backlight, 200 nits, 16:9 aspect ratio, 300:1 co
Case	ThinkPad Roll Cage (one-piece magnesium frame)
Audio Device(s)	HD Audio, RealtekⓇ ALC3202 codec, DolbyⓇ Advanced Audio™ v2 / stereo speakers, 1W x 2
Power Supply	ThinkPad 65W AC Adapter + ThinkPad Battery 70++ (9-cell)
Mouse	TrackPointⓇ pointing device + UltraNav™, wide touchpad below keyboard + ThinkLight™
Keyboard	6-row, 84-key, ThinkVantage button, spill-resistant, multimedia Fn keys, LED backlight (PT Layout)
Software	MicrosoftⓇ WindowsⓇ 10 x86-64 (22H2)

System Name	RyzenGtEvo/ Asus strix scar II
Processor	Amd R5 5900X/ Intel 8750H
Motherboard	Crosshair hero8 impact/Asus
Cooling	360EK extreme rad+ 360$EK slim all push, cpu ek suprim Gpu full cover all EK
Memory	Gskill Trident Z 3900cas18 32Gb in four sticks./16Gb/16GB
Video Card(s)	Asus tuf RX7900XT /Rtx 2060
Storage	Silicon power 2TB nvme/8Tb external/1Tb samsung Evo nvme 2Tb sata ssd/1Tb nvme
Display(s)	Samsung UAE28"850R 4k freesync.dell shiter
Case	Lianli 011 dynamic/strix scar2
Audio Device(s)	Xfi creative 7.1 on board ,Yamaha dts av setup, corsair void pro headset
Power Supply	corsair 1200Hxi/Asus stock
Mouse	Roccat Kova/ Logitech G wireless
Keyboard	Roccat Aimo 120
VR HMD	Oculus rift
Software	Win 10 Pro
Benchmark Scores	laptop Timespy 6506

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	128GB (4x 32GB) G.Skill Flare X5 @ DDR5-4200(Running 1:1:1 w/FCLK)
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

System Name	AlderLake
Processor	Intel i7 12700K P-Cores @ 5Ghz
Motherboard	Gigabyte Z690 Aorus Master
Cooling	Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans
Memory	32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36
Video Card(s)	MSI RTX 2070 Super Gaming X Trio
Storage	Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2
Display(s)	23.8" Dell S2417DG 165Hz G-Sync 1440p
Case	Be quiet! Silent Base 600 - Window
Audio Device(s)	Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply	Seasonic Focus Plus Gold 750W
Mouse	Logitech MX Anywhere 2 Laser wireless
Keyboard	RAPOO E9270P Black 5GHz wireless
Software	Windows 11
Benchmark Scores	Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock

System Name	Ghetto Rigs z490\|x99\|Acer 17 Nitro 7840hs/ 5600c40-2x16/ 4060/ 1tb acer stock m.2/ 4tb sn850x
Processor	10900k w/Optimus Foundation \| 5930k w/Black Noctua D15
Motherboard	z490 Maximus XII Apex \| x99 Sabertooth
Cooling	oCool D5 res-combo/280 GTX/ Optimus Foundation/ gpu water block \| Blk D15
Memory	Trident-Z Royal 4000c16 2x16gb \| Trident-Z 3200c14 4x8gb
Video Card(s)	Titan Xp-water \| evga 980ti gaming-w/ air
Storage	970evo+500gb & sn850x 4tb \| 860 pro 256gb \| Acer m.2 1tb/ sn850x 4tb\| Many2.5" sata's ssd 3.5hdd's
Display(s)	1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
Case	D450 \| Cherry Entertainment center on Test bench
Audio Device(s)	Built in Realtek x2 with 2-Insignia 2.0 sound bars & 1-LG sound bar
Power Supply	EVGA 1000P2 with APC AX1500 \| 850P2 with CyberPower-GX1325U
Mouse	Redragon 901 Perdition x3
Keyboard	G710+x3
Software	Win-7 pro x3 and win-10 & 11pro x3
Benchmark Scores	Are in the benchmark section

System Name	msdos
Processor	8086
Motherboard	mainboard
Cooling	passive
Memory	640KB + 384KB extended
Video Card(s)	EGA
Storage	5.25"
Display(s)	80x25
Case	plastic
Audio Device(s)	modchip
Power Supply	45 watts
Mouse	serial
Keyboard	yes
Software	disk commander
Benchmark Scores	still running

LogoFAIL Vulnerability Affects Almost Every PC Running Windows and Linux

News Editor