UEFI CVE-2024-0762 Vulnerability Affecting Several Intel CPUs Uncovered by Researchers
Recently, cybersecurity researchers revealed a critical security flaw in the Phoenix SecureCore UEFI firmware, impacting multiple families of Intel Core desktop and mobile processors. This vulnerability, identified as CVE-2024-0762 with a CVSS score of 7.5, has been named "UEFIcanhazbufferoverflow." It is a buffer overflow issue caused by the use of an unsafe variable in the Trusted Platform Module (TPM) configuration, potentially allowing the execution of malicious code.
Eclypsium, a supply chain security firm, reported that this vulnerability enables local attackers to escalate privileges and execute code within the UEFI firmware during runtime. This kind of low-level exploitation is reminiscent of firmware backdoors like BlackLotus, which have been increasingly observed in the wild. Such exploits grant attackers persistent access to a device, often bypassing higher-level security measures in the operating system and software layers.
Phoenix Technologies patched this vulnerability in April 2024 following responsible disclosure. Lenovo also released updates addressing this flaw last month. The affected devices include those using Phoenix SecureCore firmware on Intel processor families such as Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake.
UEFI (Unified Extensible Firmware Interface), the successor to BIOS, is crucial for initializing hardware components and loading the operating system via the boot manager during startup. Since UEFI is the first code executed with the highest privileges, it has become a prime target for threat actors aiming to deploy bootkits and firmware implants. These attacks can bypass security mechanisms and maintain persistence without detection.
Vulnerabilities in UEFI firmware pose a significant supply chain risk, affecting numerous products and vendors simultaneously. As Eclypsium noted, compromising UEFI firmware can grant attackers full control and persistence on the affected devices.
This development follows closely on the heels of another report by Eclypsium about an unpatched buffer overflow flaw in HP's UEFI implementation, affecting the HP ProBook 11 EE G1, which reached end-of-life status in September 2020. Additionally, there was a disclosure of a software attack named TPM GPIO Reset, which attackers could exploit to access secrets stored on disk by other operating systems or undermine TPM-protected controls such as disk encryption or boot protections.
Staying updated with firmware patches and understanding the implications of these vulnerabilities is critical for maintaining the security of modern computing devices.