Cybersecurity researchers have disclosed details of a recently patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors.
Identified as CVE-2024-0762 (CVSS score: 7.5), the “UEFIcanhazbufferoverflow” vulnerability has been characterized as a buffer overflow issue originating from the use of an insecure variable in the Trusted Platform Module (TPM) configuration, potentially leading to the execution of malicious code.
“The vulnerability enables a local attacker to raise privileges and achieve code execution within the UEFI firmware at runtime,” supply chain security company Eclypsium stated in a report shared with The Hacker News.
“This kind of low-level exploitation is typical of firmware backdoors (e.g., BlackLotus) that are increasingly prevalent in the wild. Such implants provide attackers with continuous access within a device and often, the ability to bypass higher-level security measures established in the operating system and software layers.”
After responsible disclosure, the vulnerability was resolved by Phoenix Technologies in April 2024. PC manufacturer Lenovo has also issued updates for the flaw as of last month.
“This vulnerability impacts devices utilizing Phoenix SecureCore firmware running on specific Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake,” the firmware developer highlighted.
UEFI, a successor to BIOS, refers to motherboard firmware used during startup to initialize the hardware components and load the operating system via the boot manager.
Given that UEFI is the initial code executed with the highest privileges, it has become an attractive target for malicious actors seeking to deploy bootkits and firmware implants that can undermine security mechanisms and maintain persistence without detection.
Furthermore, vulnerabilities found in the UEFI firmware can pose a significant risk to the supply chain, as they have the potential to impact various products and vendors simultaneously.
“UEFI firmware represents some of the most valuable code on modern devices, and any compromise of that code can grant attackers complete control and staying power on the device,” Eclypsium mentioned.
This development comes nearly a month after the company publicized a similar unpatched buffer overflow flaw in HP’s implementation of UEFI affecting HP ProBook 11 EE G1, a device that reached end-of-life (EoL) status in September 2020.
It also follows the disclosure of a software attack known as TPM GPIO Reset that could be exploited by attackers to access secrets stored on disk by other operating systems or undermine controls protected by the TPM like disk encryption or boot protections.
