All articles tagged with #uefi
A new UEFI firmware vulnerability affects motherboards from ASRock, ASUS, GIGABYTE, and MSI, allowing early-boot DMA attacks due to a failure to properly enable IOMMU protections during startup. This flaw could let attackers access or modify system memory before the OS loads, emphasizing the importance of applying firmware updates to mitigate the risk.
Dozens of Gigabyte motherboards are vulnerable to UEFI firmware security flaws that can allow stealthy bootkit malware to bypass Secure Boot and persist through reinstallation, with over 100 models affected and no current fixes for many due to end-of-life status, posing significant risks especially in critical environments.
Security researchers have uncovered a critical flaw (CVE-2025-3052) in Secure Boot that affects nearly all systems trusting Microsoft's UEFI CA 2011 certificate, allowing attackers with admin rights to disable Secure Boot and install bootkit malware. Microsoft has addressed the issue by revoking affected modules and releasing security updates, but users are urged to patch immediately to prevent exploitation.
A new exploit, dubbed LogoFAIL, allows attackers to bypass Secure Boot protections on certain Linux machines by injecting malicious code into a bitmap image during the boot process. This code installs a cryptographic key that tricks the UEFI into treating a backdoored GRUB and Linux kernel as trusted, effectively creating a bootkit. The exploit targets devices with Insyde UEFI firmware, affecting models from Acer, HP, Fujitsu, and Lenovo. Insyde has released a patch, but unpatched devices remain vulnerable.
Security researchers at ESET have discovered Bootkitty, the first known UEFI bootkit targeting Linux systems, uploaded to VirusTotal. While currently limited to Ubuntu and lacking full functionality, Bootkitty represents a potential shift in UEFI threats, previously exclusive to Windows. This development underscores the need for vigilance against future Linux-targeted bootkits, which can persist undetected by infecting firmware before the operating system loads.
Researchers have discovered "Bootkitty," the first UEFI bootkit targeting Linux systems, developed by a group named BlackCat. Although currently a proof-of-concept with no real-world attacks reported, Bootkitty disables kernel signature verification and preloads unknown binaries during system startup. It bypasses UEFI Secure Boot by hooking authentication protocols and patching GRUB boot loader functions. The bootkit also includes a kernel module with rootkit capabilities, but no link to the ALPHV/BlackCat ransomware group has been found. This development highlights the expanding threat landscape beyond Windows systems.
ESET researchers have discovered Bootkitty, the first UEFI bootkit targeting Linux systems, specifically some Ubuntu versions. This bootkit, likely a proof of concept, aims to disable kernel signature verification and preload unknown ELF binaries during the Linux init process. Bootkitty is signed with a self-signed certificate, making it ineffective on systems with UEFI Secure Boot unless the attacker's certificates are installed. The discovery highlights the expanding threat landscape of UEFI bootkits beyond Windows systems. Researchers emphasize the importance of keeping UEFI Secure Boot enabled and systems updated to mitigate such threats.
A vulnerability in Phoenix SecureCore UEFI firmware, affecting numerous Intel CPUs, has been discovered by Eclypsium. Dubbed 'UEFICANHAZBUFFEROVERFLOW,' the buffer overflow bug in the TPM configuration could allow code execution on affected devices. Lenovo has started releasing firmware updates to address the issue, which impacts hundreds of models from major manufacturers like Lenovo, Dell, Acer, and HP.
Unofficial NVStrapsReBar UEFI driver enables Resizable BAR support on older NVIDIA GeForce RTX 20 & GTX 16 "Turing" GPUs, allowing the CPU to access the entire GPU memory space through the PCIe interconnect for potential performance gains. Flashing a new UEFI image on the motherboard is necessary for Turing GPUs to enable ReBAR, and while the tech offers increased performance, it may not benefit all games.
A critical vulnerability in the Shim Linux bootloader, CVE-2023-40547, allows attackers to execute code and take control of a system before the kernel loads, bypassing security mechanisms. The flaw, discovered by Microsoft's security researcher Bill Demirkapi, resides in Shim's parsing of HTTP responses, enabling an out-of-bounds write. Linux distributions using Shim, such as Red Hat, Debian, Ubuntu, and SUSE, have released advisories and patches. Users are advised to update to Shim v15.8, which contains a fix for CVE-2023-40547, and update the UEFI Secure Boot DBX to include the vulnerable Shim software's hashes and sign the patched version with a valid Microsoft key.
Multiple security vulnerabilities dubbed PixieFail have been disclosed in the TCP/IP network protocol stack of the open-source reference implementation of the UEFI specification, impacting UEFI firmware from major vendors. These flaws could lead to remote code execution, denial-of-service attacks, DNS cache poisoning, and data leakage. The vulnerabilities, identified by Quarkslab, are present in the TianoCore EFI Development Kit II (EDK II) and could be exploited by attackers within the local network or remotely, depending on the firmware build and default PXE boot configuration.
Five leading UEFI firmware suppliers have been found to contain vulnerabilities collectively dubbed PixieFail, allowing attackers with network access to infect connected devices with malware at the firmware level. The vulnerabilities, residing in functions related to IPv6 in the TianoCore EDK II implementation, can be exploited through the PXE mechanism used in data centers. Attackers can plant UEFI-controlled backdoors in servers without needing physical access, posing a significant threat to data centers and cloud environments.
Researchers have discovered a series of vulnerabilities, known as LogoFAIL, in the Unified Extensible Firmware Interfaces (UEFIs) of Windows and Linux devices. These vulnerabilities allow for the undetectable installation of malicious code during the boot process by replacing legitimate logo images with specially crafted ones. The vulnerabilities affect UEFI suppliers, device manufacturers, and CPU makers. Once arbitrary code execution is achieved, attackers have full control over the device's memory and disk, including the operating system. The best defense against LogoFAIL attacks is to install UEFI security updates and configure multiple layers of defenses, such as Secure Boot and Intel Boot Guard.
Multiple vulnerabilities in the Unified Extensible Firmware Interface (UEFI) code, collectively known as LogoFAIL, have been discovered, allowing threat actors to deliver malicious payloads and bypass security technologies. By injecting a malicious logo image file into the EFI system partition, attackers can bypass security solutions and deliver persistent malware during the boot phase. The vulnerabilities affect both x86 and ARM-based devices and major independent firmware/BIOS vendors (IBVs) like AMI, Insyde, and Phoenix, impacting a wide range of consumer and enterprise-grade devices. These flaws highlight the need for improved code quality and product security maturity in IBVs reference code.
The Cybersecurity and Infrastructure Security Agency (CISA) is urging the UEFI community to enhance cybersecurity measures for Unified Extensible Firmware Interface (UEFI), a critical software standard in modern computing. UEFI serves as an interface between hardware and operating systems, but attackers have exploited UEFI implementation flaws to gain persistence and maintain access to compromised systems. The community needs to implement public key infrastructure (PKI) practices for patch distribution and improve secure by design and Product Security Incident Response Team (PSIRT) maturity. System owners should be able to audit and update UEFI components, operational teams should collect and respond to UEFI-related event logs, UEFI component developers should adopt secure development practices, and the UEFI vendor community should ensure uninterrupted and reliable update capabilities.