"Hundreds of consumer and enterprise-grade devices from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable" Binarly warns about LogoFAIL

Generated by ChatGPT | Image of LogoFAIL visualization
LogoFAIL acts as a very persistant rootkit by affecting the boot-up logo on device boot. (Image credit: ChatGPT)

What you need to know

  • Cybersecurity researchers Binarly discovered a vulnerability named LogoFAIL.
  • They recently released their findings at BlackHat Europe. 
  • LogoFAIL takes advantage of vulnerabilities in the UEFI reference code.
  • Check for UEFI security updates from your device or motherboard manufacturer.

One of the widest-spread vulnerabilities in recent memory was made public this week by Binarly at BlackHat Europe, a conference for "ethical" hackers. LogoFAIL affects potentially millions of endpoints and hundreds of device models. "All three major IBVs are impacted -- AMI, Insyde, and Phoenix due to multiple security issues related to image parsers they are shipping as a part of their firmware"

What is LogoFAIL

LogoFAIL is a "set of security vulnerabilities affecting different image parsing libraries used in the system firmware by various vendors during the device boot process." It affects devices by placing malicious code inside of an image file that is parsed during boot leading to persistence. If you want to read more in-depth coverage of the LogoFAIL research, check out Binarly's site. 

When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot).

Binarly

There are several vulnerabilities that have been identified by Binarly. They are all part of LogoFAIL and show that both a PNG and BMP Logo file can be utilized to trigger this vulnerability on affected devices. 

  • CVE-2023-40238: Affets BmpDecoderDxe in Insyde InsydeH2O for certain Lenovo devices. Caused due to an integer signedness error related to PixelHeight and PixelWidth in RLE4/RLE8 compression.
  • CVE-2023-39539: Affects AMI AptioV and involves a vulnerability in the BIOS, where a user can cause an unrestricted upload of a PNG Logo file with a dangerous type through local access.
  • CVE-2023-39538: Similar to CVE-2023-39539, this vulnerability is also found in AMI AptioV's BIOS. It allows a user to cause an unrestricted upload of a BMP Logo file with a dangerous type by local access.

LogoFAIL is uniquely persistent due to it living and executing in BIOS. It survives an operating system reinstall and bypasses most defenses since the defenses tend to run and monitor operating system function and not BIOS and UEFI code. Binarly posted an overview of LogoFAIL which shows a proof of concept. 

See more

How do protect yourself from LogoFAIL?

Due to how widespread the issue is with LogoFAIL, there isn't a definitive list of affected devices. The best method to verify if your device is affected is to contact your device or motherboard manufacturer, to first, see if your device is affected by this vulnerability, and second, see if the manufacturer has security updates to patch the root cause in the first place. Several manufacturers have issued advisories, such as AMIInsyde, and Lenovo.

Be vigilant in the protection of your device. Check out our Best ways to protect your Windows 11 PC article as well as study up on cybersecurity best practices. The good news here is that, at least from what we can tell, this was discovered and reported by the good guys. Hopefully, this will give manufacturers enough lead time to patch and resolve this issue before it can be used en masse by attackers and malicious actors. The unfortunate truth though is that the patch for this will likely require a BIOS update, which the lei user isn't going to know how to do. 

Be aware that this is out there. If you have a computer that is acting strangely, or you are sure it is infected with malware but reinstalling the OS doesn't resolve the issue, it could be a rootkit exploiting the LogoFAIL vulnerability. As always, if you're interested in learning more or getting into the cybersecurity field, check out our How to Get Started in Cybersecurity article

What do you think about the LogoFAIL vulnerability? Do you think we will see huge breaches in the future sourcing from this vulnerability because companies didn't patch their BIOS? Let us know in the comments. 

Colton Stradling
Contributor

Colton is a seasoned cybersecurity professional that wants to share his love of technology with the Windows Central audience. When he isn’t assisting in defending companies from the newest zero-days or sharing his thoughts through his articles, he loves to spend time with his family and play video games on PC and Xbox. Colton focuses on buying guides, PCs, and devices and is always happy to have a conversation about emerging tech and gaming news.