Cybersecurity specialists have divulged particulars of a recently rectified security flaw within Phoenix SecureCore UEFI firmware, impacting an array of Intel Core desktop and mobile processors.
Identified as CVE-2024-0762 (CVSS score: 7.5), the “UEFIcanhazbufferoverflow” vulnerability is characterized by a buffer overflow arising from the employment of an insecure variable in the Trusted Platform Module (TPM) configuration, potentially leading to the execution of nefarious code.
“This vulnerability empowers a local adversary to escalate privileges and execute code within the UEFI firmware during runtime,” supply chain security entity Eclypsium articulated in a report disseminated to The Hacker News.
“This category of low-level exploitation is emblematic of firmware backdoors (e.g., BlackLotus) increasingly detected in the wild. Such implants afford attackers sustained persistence within a device and frequently, the capability to circumvent higher-level security protocols operating within the OS and software layers.”
Subsequent to responsible disclosure, the vulnerability was rectified by Phoenix Technologies in April 2024. PC manufacturer Lenovo has also propagated updates to address the flaw as of the previous month.
“This vulnerability influences devices employing Phoenix SecureCore firmware on specific Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake,” stated the firmware developer.
UEFI, the successor to BIOS, denotes motherboard firmware utilized during startup to initialize hardware components and load the operating system through the boot manager.
The fact that UEFI constitutes the initial code executed with the supreme privileges renders it an alluring target for threat actors intent on deploying bootkits and firmware implants capable of subverting security mechanisms and sustaining persistence without detection.
This further implies that vulnerabilities unearthed within UEFI firmware pose a grave supply chain risk, as they can affect a multitude of products and vendors simultaneously.
“UEFI firmware embodies some of the most high-value code on contemporary devices, and any compromise of that code can confer full control and persistence to attackers,” Eclypsium conveyed.
This development transpires nearly a month subsequent to the company’s revelation of a similar unpatched buffer overflow flaw in HP’s UEFI implementation, affecting HP ProBook 11 EE G1, a device that reached end-of-life (EoL) status as of September 2020.
It also follows the disclosure of a software attack dubbed TPM GPIO Reset, exploitable by attackers to access secrets stored on disks by other operating systems or undermine controls safeguarded by the TPM, such as disk encryption or boot protections.