A new vulnerability in UEFI firmware is threatening the security of a wide range of Intel chip families similarly to BlackLotus and others like it.
Security shop Eclypsium just published its account of CVE-2024-0762 (CVSSv3: 7.5) after disclosing it to Phoenix Technologies, whose UEFI firmware is affected. Phoenix Technologies provides UEFI/BIOS device firmware for laptops, tablets, desktops, and Windows servers.
Researchers first found the buffer overflow flaw in Lenovo’s ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices, and soon discovered that the same flaw affected many Intel chip families going back to Kaby Lake in 2017.
The selected chips in the following rows are potentially affected:
- Alder Lake
- Coffee Lake
- Comet Lake
- Ice Lake
- Jasper Lake
- Lake Kaby
- Meteor Lake
- Raptor Lake
- Rocket Lake
- Tiger Lake
“Given that these Intel Core processors are used by a wide range of OEMs and ODMs, the same vulnerability could potentially affect a wide range of vendors and potentially hundreds of PC products that also use Phoenix SecureCore UEFI firmware,” Eclypsium says in the post his. .
The vulnerability resides in the configuration of the Trusted Platform Module (TPM) and centers around an insecure variable (TCG2_CONFIGURATION), abuse of which could lead to a buffer overflow, privilege escalation, and code execution.
The variable is configured differently on each platform. This configuration and the permissions assigned to it dictate the possibility and extent to which the vulnerability can be exploited.
Given that CVE-2024-0762 resides in code that handles TPM configuration, simply having a TPM on a device, which is designed to increase its security and prevent untrusted boot processes from running, does not will be sufficient to prevent successful exploits.
Lenovo has already released patches for the vulnerability and a look at its advisory shows that a wide range of laptops and ThinkPads are affected. Lenovo owners, take a look and fix if necessary.
Disclosing the vulnerability last month, Phoenix Technologies said mitigation measures had been made available as early as April.
“Phoenix Technologies strongly recommends customers update their firmware to the latest version and contact their hardware vendor as soon as possible to prevent any potential exploitation of this flaw,” he said.
Reg reached out to Intel for a statement, but it did not immediately respond.
Similar to the great threats of the past
UEFI exploits always tend to raise industry eyebrows as they often allow silent backdoors into the lowest, most privileged levels of a system and exploits are extremely difficult to detect.
Past backdoors like BlackLotus, CosmicStrand, and MosaicRegressor are previous examples of UEFI flaws that made security professionals sweat. This flaw, which Eclypsium called “UEFICanHazBufferOverflow” (terrible and will not be repeated by us), is being touted as a finding of similar importance.
Eclypsium made the wise decision not to release proof of concept code, but explained that the new black hats may be able to achieve a successful exploit if they avoid calls to the GetVariable UEFI service in the right way.
It said: “There are two calls to GetVariable with the argument ‘TCG2_CONFIGURATION’ and the same data size, without adequate checks in between.
“If an attacker can modify the value of the UEFI variable ‘TCG2_CONFIGURATION’ at system runtime, they can set it to a long enough value so that the first call to GetVariable returns EFI_BUFFER_TOO_SMALL and the data size is set at UEFI length The second call would succeed and overflow the buffer, leading to a buffer overflow ®