Eclypsium’s automated binary analysis system, Automata, has uncovered a significant vulnerability in the Phoenix SecureCore UEFI firmware used on various Intel Core processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. This vulnerability, identified as CVE-2024-0762 with a CVSS score of 7.5, involves an unsafe variable in the Trusted Platform Module (TPM) configuration that could potentially lead to a buffer overflow and the execution of malicious code. This issue impacts a wide range of PC products from different vendors that use the Phoenix SecureCore UEFI firmware.
The vulnerability allows a local attacker to gain escalated privileges and execute code within the UEFI firmware, bypassing higher-level security measures. The exploitation of such low-level vulnerabilities can provide attackers with ongoing persistence on a compromised device and make it challenging to detect unauthorized activities.
Lenovo, the original manufacturer where the vulnerability was discovered, has initiated the release of BIOS updates to address this issue. Eclypsium customers can leverage their platform to scan for vulnerable assets in their environment and should consult their device manufacturers for applicable updates.
UEFI firmware, which replaces the traditional BIOS, plays a crucial role in device booting and runtime management below the operating system. It has become a prime target for attackers aiming to inject firmware implants like black lotus, CosmicStrand, and MosaicRegressor, which can evade security controls and maintain persistence on compromised devices.
The vulnerability in question relates to an insecure call to the GetVariable UEFI service, leading to a stack buffer overflow when improperly handled. Phoenix Technologies has assigned CVE-2024-0762 to this vulnerability and released a fix on May 14, 2024, with a reported CVSS score of 7.5.
To mitigate the impact of this vulnerability, organizations are advised to scan their devices for potential exposure and apply the latest firmware updates provided by their respective vendors. Given the broad scope and potential impact of supply chain incidents like this, it is essential for companies to have the ability to independently evaluate and secure their IT infrastructure using tools like Eclypsium.
In conclusion, this vulnerability underscores the critical importance of securing UEFI firmware in modern devices and highlights the need for proactive measures to identify and address vulnerabilities in the supply chain. Eclypsium’s Automata offers a solution for continuous and comprehensive evaluation of IT assets to ensure the integrity and security of the infrastructure. Organizations can reach out to Eclypsium for a free analysis of their infrastructure to determine if they are affected by this or similar vulnerabilities.
Article Source
https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/
