A vulnerability (CVE-2024-0762) in Phoenix SecureCore UEFI running on multiple Intel processors has been identified by Eclypsium researchers. This vulnerability could allow for local exploitation to escalate privileges and execute arbitrary code within the firmware during runtime. The researchers pointed out that this type of low-level exploitation is typical of firmware backdoors found in the wild, providing attackers with continuous persistence within a device.
The vulnerability is related to an insecure call to the GetVariable UEFI service, which could result in an exploitable stack buffer overflow condition. The researchers highlighted that the vulnerability lies in the handling of the UEFI code setting, stating that even if a device has a security chip like a TPM, it can still be vulnerable if the underlying code is defective.
The vulnerability was initially discovered in two Lenovo ThinkPad laptops, but it has been confirmed by Phoenix Technologies to affect several versions of its SecureCore firmware. These firmware versions run on various families of Intel processors, including Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake. Users are urged to check their vendor websites for the latest firmware updates, as Phoenix implemented mitigations to its UEFI earlier this year.
At present, there have been no reports of exploitation in the wild. The researchers noted that the possibility of exploitation depends on the configuration and permissions assigned to the TCG2_CONFIGURATION variable, which can vary for each platform.
In conclusion, the CVE-2024-0762 vulnerability in Phoenix SecureCore UEFI poses a significant risk to devices running on Intel processors. Users should ensure they apply any necessary BIOS updates provided by their device manufacturers to mitigate this vulnerability. Additionally, staying informed about security updates and best practices is crucial to protect against potential exploits targeting firmware vulnerabilities.
Article Source
https://www.helpnetsecurity.com/2024/06/21/cve-2024-0762/