A recent vulnerability (CVE-2024-0762) has been identified in the Phoenix SecureCore UEFI, a firmware that operates on various Intel processors. This vulnerability has the potential to be exploited locally, allowing attackers to escalate privileges and execute arbitrary code within the firmware during runtime.
Researchers at Eclypsium have pointed out that this type of low-level exploitation is characteristic of firmware backdoors, such as BlackLotus, which are becoming more prevalent in the wild. These types of implants provide attackers with persistent access to a device and can help them evade higher-level security measures implemented in the operating system and software layers.
The vulnerability is specifically associated with an unsafe call to the GetVariable UEFI service, which could result in an exploitable stack buffer overflow condition. The researchers emphasized that the flaw lies in the UEFI code handling Trusted Platform Module (TPM) configuration, indicating that even devices equipped with security chips like TPMs are vulnerable if the underlying code is flawed.
Initially discovered on two Lenovo ThinkPad laptops, Phoenix Technologies has confirmed that this vulnerability impacts multiple versions of its SecureCore firmware across various Intel processor families, including Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake. It is important to note that Lenovo laptops are not the only devices at risk of exploitation.
To address this issue, Phoenix has already implemented mitigations in its UEFI earlier this year, and Lenovo has released BIOS updates for affected devices. Other manufacturers are expected to follow suit by providing firmware updates on their respective websites. Users are advised to regularly check for and install the latest firmware updates from their device vendors.
Although there is currently no evidence of in-the-wild exploitation, widespread exploitation may still pose a challenge. The researchers highlighted that the likelihood of exploitation depends on the configuration and permissions assigned to the TCG2_CONFIGURATION variable, which can vary across different platforms.
In conclusion, the presence of vulnerabilities like CVE-2024-0762 underscores the importance of maintaining up-to-date firmware and implementing security best practices to mitigate the risk of potential exploits. Vigilance and prompt action in response to security advisories from device vendors are crucial steps in safeguarding against potential threats to system integrity and data confidentiality.