search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Image files in UEFI can be abused to modify boot behavior

Vulnerability Note VU#811862

Original Release Date: 2023-12-06 | Last Revised: 2024-03-04

Overview

Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings.

Description

UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during the early phases of an UEFI based OS. One such information stored in the ESP is a personalizable boot logo.

Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label LogoFAIL to track and support coordination and mitigation of these vulnerabilities.

Note: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.

Binarly AdvisoryCVE'sPrimary Vendor
BRLY-2023-018CVE-2023-39539 AMI
BRLY-2023-006 (1) CVE-2023-40238 Insyde
BRLY-2023-006 (2) CVE-2023-5058 Phoenix

Vendor Information

811862
 

American Megatrends Incorporated (AMI) Affected

Notified:  2023-07-11 Updated: 2023-12-06

Statement Date:   September 20, 2023

CVE-2023-39539 Affected
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

Changed status from "not affected" to "affected" after researcher provided another image that engineering teams were able to successfully reproduce the issue with.

Fujitsu Europe Affected

Notified:  2023-07-11 Updated: 2024-01-31

Statement Date:   January 31, 2024

CVE-2023-39539 Affected
CVE-2023-40238 Affected
CVE-2023-5058 Affected

Vendor Statement

Fujitsu is aware of the vulnerabilities in AMI and Insyde firmware (AMI Aptio V, Insyde InsydeH2O UEFI-BIOS) known as "LogoFAIL".

The affection state of Fujitsu CCD (Client Computing Device) is still under investigation. Several updates for Fujitsu SERVER devices were made available.

The Fujitsu PSIRT (Europe) released FJ-ISS-2023-112100 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2023-112100-Security-Notice.pdf

In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Europe) (Fujitsu-PSIRT@ts.fujitsu.com).

Insyde Software Corporation Affected

Notified:  2023-07-11 Updated: 2023-12-18

Statement Date:   December 16, 2023

CVE-2023-39539 Unknown
Vendor Statement:
Insyde products are not affected by this vulnerability.
CVE-2023-40238 Affected
CVE-2023-5058 Unknown
Vendor Statement:
Insyde products are not affected by this vulnerability.

Vendor Statement

Certain OEM products whose firmware uses a customized version of Insyde's InsydeH2O are affected by this vulnerability. The issue was discovered by Binarly and was assigned the CVE CVE-2023-40238.

References

Intel Affected

Notified:  2023-07-11 Updated: 2023-12-06

Statement Date:   November 13, 2023

CVE-2023-39539 Affected
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Phoenix Technologies Affected

Notified:  2023-07-11 Updated: 2023-12-15

Statement Date:   November 29, 2023

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Affected

Vendor Statement

At this time, we believe that our base product is not affected. We have made several attempts to reproduce it in our base product and been unable to.

That said, customers of ours may have added custom features to our product that introduce this vulnerability. We are working with our customers to assist them to develop fixes that will mitigate this vulnerability.

Update While we have not been able to reproduce this in our base product, we continue to see client's shipping products that are affected. We have found that extensions Phoenix assisted our clients with are affected. We have provided updates to our customers and they are producing firmware updates. CVE-2023-5058

References

ARM Limited Not Affected

Notified:  2023-11-21 Updated: 2023-12-19

Statement Date:   December 19, 2023

CVE-2023-39539 Not Affected
CVE-2023-40238 Not Affected
CVE-2023-5058 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Microsoft Not Affected

Notified:  2023-07-11 Updated: 2023-12-06

Statement Date:   September 20, 2023

CVE-2023-39539 Not Affected
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Toshiba Corporation Not Affected

Notified:  2023-07-11 Updated: 2023-12-06

Statement Date:   July 11, 2023

CVE-2023-39539 Not Affected
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Acer Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cisco Unknown

Notified:  2023-12-04 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Gamma Tech Computer Corp. Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

GETAC Inc. Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Qualcomm Unknown

Notified:  2023-11-21 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

ReactOS Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

Star Labs Online Limited Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

VAIO Corporation Unknown

Notified:  2023-07-11 Updated: 2023-12-06

CVE-2023-39539 Unknown
CVE-2023-40238 Unknown
CVE-2023-5058 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 23 vendors View less vendors


Other Information

CVE IDs: CVE-2023-39539 CVE-2023-40238 CVE-2023-5058
API URL: VINCE JSON | CSAF
Date Public: 2023-12-06
Date First Published: 2023-12-06
Date Last Updated: 2024-03-04 19:06 UTC
Document Revision: 6

Sponsored by CISA.