Cybersecurity experts have disclosed details about a recently patched security vulnerability in Phoenix SecureCore UEFI software, affecting various Intel Core desktop and mobile processors.
You might be interested in: What to do when you get a phishing email?
Known as the “UEFIcanhazbufferoverflow” vulnerability, tracked as CVE-2024-0762 (CVSS score: 7.5), this issue is a buffer overflow resulting from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration. This flaw could potentially allow the execution of malicious code.
“The vulnerability enables a local attacker to escalate privileges and execute code within the UEFI firmware during runtime,” warned supply chain security firm Eclypsium in a report shared with The Hacker News.
“This type of low-level exploitation is common in firmware backdoors (e.g., BlackLotus), which are increasingly being found in the wild. Such implants grant attackers persistent access to a device and the ability to evade higher-level security mechanisms in the operating system and software layers.”
After responsible disclosure, Phoenix Technologies fixed the issue in April 2024, and Lenovo released patches for the vulnerability last month.
“This vulnerability impacts devices using Phoenix SecureCore firmware on certain Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake,” stated Phoenix Technologies.
UEFI, which succeeded BIOS, is the motherboard firmware used during startup to initialize hardware components and load the operating system through the boot manager.
Because UEFI is the first code to be executed with the highest privileges, it has become an attractive target for threat actors seeking to introduce bootkits and firmware implants that can circumvent security safeguards and persist without detection.
This also means that vulnerabilities discovered in UEFI firmware can constitute a significant supply chain risk because they can affect multiple devices and manufacturers at once.
“UEFI firmware is some of the most high-value code on modern devices, and any compromise of that code can give attackers full control and persistence on the device,” according to Eclypsium.
The finding comes nearly a month after the company uncovered a similar unpatched buffer overflow weakness in HP’s UEFI implementation that affects the HP ProBook 11 EE G1, a device that reached end-of-life (EoL) in September 2020.
It also follows the publication of a software attack known as TPM GPIO Reset, which could be used by attackers to get access to secrets held on disk by other operating systems or to undermine TPM-protected safeguards such as disk encryption or boot protection.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.