On December 6th, multiple vendors disclosed a class of vulnerabilities called LogoFAIL. The vulnerabilities execute malicious firmware early in a device’s boot sequence, which makes the attack difficult to detect. LogoFAIL is the collective name for a set of vulnerabilities that were found by the Binarly research team, which looks for vulnerabilities within UEFI Firmware across various vendors. The firmware plays a key role in the boot sequence of a device and is used to boot Windows and Linux devices. In this blog, we’ll discuss what you need to know about LogoFAIL and how you can mitigate the risk.
What does LogoFAIL do?
These vulnerabilities specifically target image parsers within a device’s firmware, which are used to make logos appear during the boot process of the device. Some vendors allow users to modify the logo that is used during the boot process. This customization feature creates a new threat vector for attackers.
LogoFAIL allows attackers to install a bootkit, which is a stealthy type of malware which runs before the operating system is loaded. This would allow attackers to bypass many endpoint security solutions. It also allows the malicious code to persist even after the device is reimaged. This makes the time and resources required to recover a compromised device significantly higher.
Due to the severe nature of the vulnerabilities allowing an attacker in at the firmware level, they’re considered critical. At the time of this writing, there are no known exploitations of these vulnerabilities happening in the wild.
It is relatively easy to exploit LogoFAIL once an attacker is on the machine, so it’s still concerning. These vulnerabilities can make Secure Boot ineffective.
Currently there are three vendors that have LogoFAIL exploitable devices:
Other vendors are susceptible to the LogoFAIL attack, but currently have mitigations in place that would prevent the exploitation of LogoFAIL:
These devices are not at immediate risk because of additional restrictions that make it so LogoFAIL is not directly exploitable. However, they still contain vulnerable image parsers that could pose a security risk in the future if not properly patched.
How can I protect against LogoFAIL?
Vendors have begun releasing patches for their firmware to address LogoFAIL. These firmware updates can be installed with the vendors’ update tools. Your IT partner can also help you address patching vulnerable machines.
ADNET will continue to monitor for new firmware patches to address LogoFAIL as they are released. We recommend all users deploy firmware patches using the official vendor tools that allow you to automatically update the device’s firmware. These easy-to-use tools are typically preinstalled on your device.
One of the best ways to mitigate risk from LogoFAIL and other vulnerabilities is to continue to foster a culture of security awareness at your organization. Tools like MFA and strong password policies along with regular Security Awareness Training can help prevent attackers from gaining access to devices, regardless of the latest threats. Need help with this vulnerability, or have questions? Reach out to us – we’re here to help.