Firmware security firm Eclypsium discovered a vulnerability, tracked as CVE-2024-0762 (CVSS of 7.5), in the Phoenix SecureCore UEFI firmware.
The issue, called UEFIcanhazbufferoverflow, potentially impacts hundreds of PC and server models that use Intel Core desktop and mobile processors.
The vulnerability stems from an unsafe variable in the Trusted Platform Module (TPM) configuration. Successful exploitation can lead to a buffer overflow and potential malicious code execution. The issue is rooted in the UEFI code handling TPM configuration, making the presence of a security chip like a TPM irrelevant if the underlying code is compromised.
The experts originally found the vulnerability on the Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen, both using the latest Lenovo BIOS updates.
Phoenix Technologies confirmed the issue and added that the flaw impacts multiple versions of its SecureCore firmware that runs on Intel processor families including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.
“These are Intel codenames for multiple generations of Intel Core mobile and desktop processors. Given that these Intel Core processors are used by a wide range of OEMs and ODMs, the same vulnerability could potentially affect a wide range of vendors and potentially hundreds of PC products that also use the Phoenix SecureCore UEFI firmware.” reads the analysis published by hardware security firm Eclypsium. “The possibility of exploitation depends on the configuration and permission assigned to the TCG2_CONFIGURATION variable, which could be different for every platform.”
This type of flaw can be exploited to establish a firmware backdoor such as BlackLotus. The experts warn of an increasing number of implants exploiting flaws like this to maintain persistence evading higher-level security measures. The security firm added that the the manipulation of runtime code can make attacks harder to detect via various firmware measurements.
“This vulnerability exemplifies two characteristic traits of IT infrastructure supply chain incidents—high impact and broad reach. UEFI firmware is some of the most high-value code on modern devices, and any compromise of that code can give attackers full control and persistence on the device.” concludes the report. “And since the vulnerable code stems from a major supply chain partner that licenses code to multiple OEM vendors, the issue can potentially affect many different products.”
Eclypsium disclosed the issue in coordination with Phoenix Technologies and Lenovo PSIRT. Lenovo released relevant BIOS updates at Multi-vendor BIOS Security Vulnerabilities (May, 2024) – Lenovo Support US.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Phoenix SecureCore UEFI firmware)