A new exploit, dubbed LogoFAIL, allows attackers to bypass Secure Boot protections on certain Linux machines by injecting malicious code into a bitmap image during the boot process. This code installs a cryptographic key that tricks the UEFI into treating a backdoored GRUB and Linux kernel as trusted, effectively creating a bootkit. The exploit targets devices with Insyde UEFI firmware, affecting models from Acer, HP, Fujitsu, and Lenovo. Insyde has released a patch, but unpatched devices remain vulnerable.
Researchers have discovered a series of vulnerabilities, known as LogoFAIL, in the Unified Extensible Firmware Interfaces (UEFIs) of Windows and Linux devices. These vulnerabilities allow for the undetectable installation of malicious code during the boot process by replacing legitimate logo images with specially crafted ones. The vulnerabilities affect UEFI suppliers, device manufacturers, and CPU makers. Once arbitrary code execution is achieved, attackers have full control over the device's memory and disk, including the operating system. The best defense against LogoFAIL attacks is to install UEFI security updates and configure multiple layers of defenses, such as Secure Boot and Intel Boot Guard.
A new firmware attack called LogoFAIL has been discovered, affecting hundreds of Windows and Linux computer models from various hardware makers. The attack exploits vulnerabilities in Unified Extensible Firmware Interfaces (UEFIs) responsible for booting devices, allowing for the execution of malicious firmware early in the boot-up sequence. LogoFAIL can be remotely executed and bypasses traditional endpoint security products, including Secure Boot. The vulnerabilities have been disclosed by multiple companies, and security patches are being released. The attack gives threat actors control over the memory and disk of the target device, compromising platform security.
