Phoenix UEFI flaw puts long list of Intel chips in hot seat

A new vulnerability in UEFI firmware is threatening the security of a wide range of Intel chip families in a similar fashion to BlackLotus and others like it.

Security shop Eclypsium just published its account of CVE-2024-0762 (CVSSv3: 7.5) after disclosing it to Phoenix Technologies, whose UEFI firmware is affected. Phoenix Technologies provides UEFI/BIOS device firmware for Windows laptops, tablets, desktops and servers.

The researchers originally found the buffer overflow bug in Lenovo's ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices and soon discovered the same flaw affected multiple Intel chip families going back to Kaby Lake in 2017.

Select chips in the following lines are potentially affected:

• Alder Lake
• Coffee Lake
• Comet Lake
• Ice Lake
• Jasper Lake
• Kaby Lake
• Meteor Lake
• Raptor Lake
• Rocket Lake
• Tiger Lake

"Given that these Intel Core processors are used by a wide range of OEMs and ODMs, the same vulnerability could potentially affect a wide range of vendors and potentially hundreds of PC products that also use the Phoenix SecureCore UEFI firmware," Eclypsium says in its post.

The vulnerability is located in the Trusted Platform Module (TPM) configuration and centers around an unsafe variable (TCG2_CONFIGURATION), the abuse of which could lead to a buffer overflow, privilege escalation, and code execution.

The variable is configured differently on every platform. That configuration and the permissions assigned to it dictate the possibility and degree to which the vulnerability can be exploited.

Given that CVE-2024-0762 is located in the code that handles the configuration of the TPM, simply having a TPM in a device, which is designed to increase its security and prevent untrustworthy boot processes from executing, won't be enough to prevent successful exploits.

Lenovo has already issued patches for the vulnerability and a glance at its advisory shows a wide range of notebooks and ThinkPads were affected. Lenovo owners, take a look and patch up if needed.

• UEFI flaws allow bootkits to pwn potentially hundreds of devices using images
• Millions of Gigabyte PC motherboards backdoored? What's the actual score?
• It's official: BlackLotus malware can bypass Secure Boot on Windows machines
• Lenovo issues firmware updates after UEFI vulnerabilities disclosed

Disclosing the vulnerability last month, Phoenix Technologies said mitigations were made available as early as April.

"Phoenix Technologies strongly recommends customers to update their firmware to the latest version and contact their hardware vendor as soon as possible to prevent any potential exploitation of this flaw," it said.

The Reg asked Intel for a statement but it didn't immediately respond.

Akin to big threats of the past

UEFI exploits always tend to raise the industry's eyebrows as they often allow silent backdoors into the lowest, most privileged levels of a system and exploits are notoriously difficult to detect.

Backdoors of yesteryear such as BlackLotus, CosmicStrand, and MosaicRegressor are previous examples of UEFI flaws that made security pros sweat. This flaw, which Eclypsium dubbed "UEFICanHazBufferOverflow" (awful and won't be repeated by us again), is being hyped as a finding of similar significance.

Eclypsium made the wise decision to not release proof of concept code, but explained that budding black hats might be able to achieve a successful exploit if they fudged the calls to the GetVariable UEFI service in the right way.

It said: "There are two calls to GetVariable with the 'TCG2_CONFIGURATION' argument and the same DataSize, without adequate checks in between.

"If an attacker can modify the value of the 'TCG2_CONFIGURATION' UEFI variable at system run time, they can set it to a value long enough so that the first call to GetVariable returns EFI_BUFFER_TOO_SMALL, and the data_size is set to the length of the UEFI variable. The second call would succeed and overflow the buffer, leading to a stack buffer overflow." ®