A vast number of computers are facing a potential threat due to a recently discovered vulnerability in Intel processors. The issue, known as CVE-2024-0762 and ominously named “UEFIcanhazbufferoverflow,” is a buffer overflow flaw impacting various versions of Phoenix Technologies’ SecureCore Unified Extensible Firmware Interface (UEFI) firmware. While initially disclosed by the vendor back in May, the vulnerability has now been elaborated on by Eclypsium researchers in a detailed blog post.
The vulnerability was first identified by researchers in November while examining UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. It stems from an insecure call to the GetVariable() runtime service, which is used to read the contents of a UEFI variable. A lack of proper checks could enable an attacker to input excessive data, leading to an overflow. Subsequently, the attacker could exploit this to elevate privileges and execute code on the targeted device during runtime.
Beyond the severity of the vulnerability, its widespread impact is a significant concern. Intel dominates the global market for PC processors, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates that hundreds of PC models from various manufacturers could be affected by this vulnerability.
UEFI and its predecessor, BIOS, represent critical areas of vulnerability in a computer system. As the firmware interface controlling the boot process, UEFI is the first and most privileged code to run when a device is powered on. This unique status has made it a prime target for attackers seeking to gain root-level access, establish persistence across reboots, evade security programs, and more.
Nate Warfield, director of threat research and intelligence at Eclypsium, highlights the potential dangers of exploiting UEFI vulnerabilities. He points out that compromising this stage of a computer booting process can facilitate the insertion of malicious code into the boot sector or inject malware into the Windows system before it initiates. The recent emergence of the CosmicStrand UEFI rootkit underscores the risks associated with such attacks.
Despite the serious implications of the UEFIcanhazbufferoverflow vulnerability, it was rated a 7.5 out of 10 on the CVSS scoring system. This relatively high score is attributed to the requirement that attackers already have access to the targeted machine and the need for tailored exploits based on the specific computer model’s configuration and permission settings for the affected variable.
The complexity of the vulnerability extends to the development and distribution of patches by vendors. Phoenix Technologies, for instance, had to address the issue across numerous versions of its UEFI code, complicating the patching process for customers. Lenovo, in collaboration with researchers, has begun releasing fixes, but complete protection for all affected computers may not be achieved until later in the summer. Other manufacturers will likely face similar challenges in addressing the vulnerability in their Intel-powered devices.
Warfield underscores the intricate supply chain dynamics involved in addressing such vulnerabilities, emphasizing the time-consuming process of informing vendors, who then notify OEMs to package and deliver fixes to end-users. In the interim, organizations using Intel-based computers may have to exercise patience while waiting for comprehensive solutions to be implemented.
In conclusion, the UEFIcanhazbufferoverflow vulnerability poses a significant risk to a wide range of computer systems worldwide, highlighting the ongoing challenges associated with securing firmware interfaces in the face of evolving cyber threats. Addressing these vulnerabilities requires coordinated efforts across vendors, researchers, OEMs, and end-users to ensure the timely deployment of effective patches and mitigate potential risks to computer systems and data.