Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Avatar
Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the “UEFIcanhazbufferoverflow” vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform

Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors.

Tracked as CVE-2024-0762 (CVSS score: 7.5), the “UEFIcanhazbufferoverflow” vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code.

“The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime,” supply chain security firm Eclypsium said in a report shared with The Hacker News.

“This type of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus) that are increasingly observed in the wild. Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in the operating system and software layers.”

Following responsible disclosure, the vulnerability was addressed by Phoenix Technologies in April 2024. PC maker Lenovo has also released updates for the flaw as of last month.

“This vulnerability affects devices using Phoenix SecureCore firmware running on select Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake,” the firmware developer said.

UEFI, a successor to BIOS, refers to motherboard firmware used during startup to initialize the hardware components and load the operating system via the boot manager.

The fact that UEFI is the first code that’s run with the highest privileges has made it a lucrative target for threat actors looking to deploy bootkits and firmware implants that can subvert security mechanisms and maintain persistence without being detected.

This also means that vulnerabilities discovered in the UEFI firmware can pose a severe supply chain risk, as they can impact many different products and vendors at once.

“UEFI firmware is some of the most high-value code on modern devices, and any compromise of that code can give attackers full control and persistence on the device,” Eclypsium said.

The development comes nearly a month after the company disclosed a similar unpatched buffer overflow flaw in HP’s implementation of UEFI that impacts HP ProBook 11 EE G1, a device that reached end-of-life (EoL) status as of September 2020.

It also follows the disclosure of a software attack called TPM GPIO Reset that could be exploited by attackers to access secrets stored on disk by other operating systems or undermine controls that are protected by the TPM such as disk encryption or boot protections.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

Next Post

SolarWinds Serv-U Vulnerability Under Active Attack – Patch Immediately

Related Posts

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain attack. "This attack stands out due to the high variability across packages," Phylum said in an analysis published last week. "The attacker has cleverly hidden the malware in the seldom-used 'end' function of
Avatar
Read More