A newly discovered vulnerability in Phoenix SecureCore UEFI firmware tracked as CVE-2024-0762 impacts devices running numerous Intel CPUs, with Lenovo already releasing new firmware updates to resolve the flaw.
The vulnerability, dubbed ‘UEFICANHAZBUFFEROVERFLOW,’ is a buffer overflow bug in the firmware’s Trusted Platform Module (TPM) configuration that could be exploited to perform code execution on vulnerable devices.
The flaw was discovered by Eclypsium, who identified it on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices, but later confirmed with Phoenix that it affects the SecureCore firmware for Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake Intel CPUs as well.
Due to the large number of Intel CPUs using this firmware, the vulnerability has the potential to impact hundreds of models from Lenovo, Dell, Acer, and HP.
UEFI firmware is a valuable target
UEFI firmware is considered more secure as it includes Secure Boot, which is supported by all modern operating systems, including Windows, macOS, and Linux. Secure Boot cryptographically confirms a device is only booted using trusted drivers and software, blocking the boot process if it detects malicious software.
As Secure Boot makes it much harder for threat actors to install persistent boot malware and drivers, UEFI bugs have become increasingly targeted to create malware called bootkits.
Bootkits are malware that loads very early in the UEFI boot process, giving the malicious programs low-level access to the operation and making them very difficult to detect like we saw the BlackLotus, CosmicStrand, and MosaicAggressor UEFI malware.
Eclypsium says the bug they found lies in a buffer overflow within the System Management Mode (SMM) subsystem of Phoenix SecureCore firmware, allowing attackers to potentially overwrite adjacent memory.
If the memory was overwritten with the correct data, an attacker could potentially elevate privileges and gain code execution abilities in the firmware to install bootkit malware.
“The issue involves an unsafe variable in the Trusted Platform Module (TPM) configuration that could lead to a buffer overflow and potential malicious code execution,” warns Eclypsium.
“To be clear, this vulnerability lies in the UEFI code handling TPM configuration—in other words, it doesn’t matter if you have a security chip like a TPM if the underlying code is flawed.”
After discovering the bug, Eclypsium coordinated a disclosure with Phoenix and Lenovo to fix the flaws.
In April, Phoenix issued an advisory and Lenovo began releasing new firmware in May to resolve the vulnerabilities in over 150 different models. It is important to note that not all models have available firmware at this time, with many planned for later this year.
