UEFIcanhazbufferoverflow

[PR3MIUM]

UEFIcanhazbufferoverflow: Widespread Impact from Vulnerability in Popular PC and Server Firmware​

Eclypsium Automata, our automated binary analysis system, has identified a high impact vulnerability (CVE-2024-0762 with a reported CVSS of 7.5) in the Phoenix SecureCore UEFI firmware that runs on multiple families of Intel Core desktop and mobile processors. The issue involves an unsafe variable in the Trusted Platform Module (TPM) configuration that could lead to a buffer overflow and potential malicious code execution. To be clear, this vulnerability lies in the UEFI code handling TPM configuration—in other words, it doesn’t matter if you have a security chip like a TPM if the underlying code is flawed.

Source:

UEFIcanhazbufferoverflow: Widespread Impact from Vulnerability in Popular PC and Server Firmware - Eclypsium | Supply Chain Security for the Modern Enterprise

Summary Eclypsium Automata, our automated binary analysis system, has identified a high impact vulnerability (CVE-2024-0762 with a reported CVSS of 7.5) in the Phoenix SecureCore UEFI firmware that runs on multiple families of Intel Core desktop and mobile processors. The issue involves an...

eclypsium.com

 

[coxhaus]

I have noticed Dell has had some new BIOS updates. It is one of the reasons I buy Dell now. In the past I would build my own PC buying motherboards. The problem I found is in after support, as it was lacking. The vendors had moved on to new motherboards and really did not want to spend time on the old motherboards.

 

[DJones]

Microcode updates might patch this issue within the OS, however that’s only within the OS and applies each reboot. Only a bios update can fully fix uefi or cpu vulnerabilities. The CVE and article doesn’t really explain if theirs any patches as it would be manufacturer / cpu dependent.

 

[jerry6]

seems like not much can be done , yet . Every security upgrade brings a new batch of vulnerabilities that are getting worse . will Intel fix this ? What to do I have 5 intel laptops 2 core i9 and 3 icore i7

 

[sfx2000]

Rmemeber, UEFI is not just a bootloader, but an OS as well...

Bootloaders are executable code, whether it's BIOS, UEFI, CoreBoot, uBoot, CFE, etc...

UEFI has always been a concern, as it can do so much, and has access to/from the primary OS - so issues like the on OP has mentioned, will always be a problem.

 

[PR3MIUM]

Currently no BIOS Updates seen from MSI, ASUS or others wich shows this CVE in the release notes.
Phoenix has released or send a fix, just waiting for the manufacturers to release a new BIOS.
Doesnt bother if you use Legacy or UEFI, as UEFI is in the System and a attacker just needs to plug in a USB and start the PC.

 

[RMerlin]

Currently no BIOS Updates seen from MSI, ASUS or others wich shows this CVE in the release notes.

AFAIK, many motherboard manufactuers use AMI, not Phoenix. So there's nothing for Asus to update there, they don't use Phoenix.

I generally mostly see Phoenix in laptops or OEM desktops.