A high-severity vulnerability has been discovered in the Phoenix SecureCore UEFI’s firmware, affecting multiple Intel processors and hundreds of computer models, according to recent research conducted by Eclypsium. This vulnerability, assigned the identifier CVE-2024-0762 and named “UEFIcanhazbufferoverflow” by researchers, poses a significant risk as it involves an unsafe variable within the Trusted Platform Module (TPM) configuration that could potentially lead to a buffer overflow and the execution of malicious code.
Eclypsium has highlighted the growing significance of UEFI vulnerabilities as prime targets for attackers, emphasizing the critical role firmware plays in controlling a system’s boot process. Recent UEFI attacks, such as BlackLotus and MosaicRegressor, serve as examples of the potential risks associated with exploiting vulnerabilities in this essential component of computer systems.
According to Eclypsium, the vulnerability enables a local attacker to elevate privileges and execute code within the UEFI firmware during runtime, presenting a serious security threat that could potentially result in persistent access and the circumvention of higher-level security measures. The manipulation of runtime code also adds a layer of complexity to detecting such attacks, making them harder to identify through conventional firmware monitoring mechanisms.
While the vulnerability itself is not new, Phoenix had previously issued an advisory upon its disclosure last month and promptly released mitigations in April to address the issue. Customers were advised to update their firmware to the latest version containing the necessary security measures to protect against potential exploitation. Phoenix reiterated this recommendation in response to inquiries from TechTarget Editorial regarding the vulnerability.
Eclypsium’s blog post offers detailed insights into the technical aspects of the vulnerability and its implications. Initially identified in specific Lenovo laptop models, the vulnerability was later confirmed to affect multiple families of Intel processors, including popular variants like Alder Lake, Coffee Lake, and Tiger Lake. Given Phoenix SecureCore UEFI’s widespread adoption across various PC products, the potential for exploitation extends throughout the supply chain, affecting numerous vendors and devices utilizing the vulnerable firmware.
Nate Warfield, director of threat research and intelligence at Eclypsium, reassured that no instances of exploitation related to this vulnerability have been observed thus far. While the risk of exploitation remains present, the nature of the vulnerability suggests that attackers would likely leverage it after gaining access to the system as a means of maintaining persistence. Eclypsium underscored that they have refrained from releasing a proof-of-concept exploit to prevent potential misuse of the vulnerability.
TechTarget Editorial reached out to Intel for further insights and commentary on the matter, awaiting additional input from the prominent processor manufacturer. As the industry continues to address emerging security challenges, proactive measures and timely updates are essential to safeguarding systems against potential threats like the CVE-2024-0762 vulnerability in Phoenix SecureCore UEFI firmware.
Alexander Culafi, a senior information security news writer and podcast host for TechTarget Editorial, contributed to this report.