A critical vulnerability, CVE-2024-0762, known as “UEFIcanhazbufferoverflow,” has been uncovered in the Phoenix SecureCore UEFI firmware, affecting multiple Intel Core desktop and mobile processors. This vulnerability, disclosed by cybersecurity researchers, exposes a significant buffer overflow flaw within the Trusted Platform Module (TPM) configuration, potentially allowing unauthorized code execution by malicious actors.
Eclypsium, a company specializing in supply chain security, detected the vulnerability using its automated binary analysis system, Eclypsium Automata. They revealed that this flaw could be exploited locally to escalate privileges and seize control over the UEFI firmware during runtime, bypassing higher-level security measures. This poses a serious threat to devices affected by this vulnerability.
The Phoenix SecureCore UEFI firmware is widely used across various generations of Intel Core processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Given the broad adoption of these processors by different original equipment manufacturers (OEMs), the UEFIcanhazbufferoverflow vulnerability has the potential to impact a wide range of PC products in the market.
According to researchers at Eclypsium, the vulnerability stems from insecure variable handling within the TPM configuration, specifically concerning the TCG2_CONFIGURATION variable. This oversight could lead to a buffer overflow scenario, enabling attackers to execute arbitrary code.
In response to the disclosure, Phoenix Technologies swiftly assigned CVE-2024-0762 to the UEFIcanhazbufferoverflow vulnerability and released patches on May 14, 2024, to address the issue. The severity of the vulnerability is reflected in its CVSS score of 7.5, signifying a high-risk threat.
The exploitation of UEFI firmware vulnerabilities like “UEFIcanhazbufferoverflow” underscores the crucial role of firmware in device security. The UEFI architecture acts as the foundational software that initializes hardware and manages system runtime operations, making it an attractive target for attackers seeking persistent access and control.
This incident also emphasizes the challenges associated with supply chain security, where vulnerabilities in upstream components can have widespread effects across multiple vendors and products. Organizations are urged to utilize comprehensive scanning tools to identify affected devices and promptly apply firmware updates provided by vendors.
For enterprises that rely on devices with potentially impacted firmware, proactive measures include implementing solutions to continuously monitor and evaluate device integrity. This proactive approach helps mitigate risks associated with older devices and ensures ongoing protection against active exploitation of firmware-based vulnerabilities.
In conclusion, the discovery of the UEFIcanhazbufferoverflow vulnerability in the Phoenix SecureCore UEFI firmware serves as a reminder of the importance of prioritizing firmware security and implementing robust measures to safeguard against potential threats. By staying vigilant and proactive in addressing vulnerabilities, organizations can enhance their overall cybersecurity posture and protect their systems from malicious attacks.