A newly discovered vulnerability found in the Phoenix SecureCode UEFI firmware that runs on Intel Core processors could potentially affect tens of millions of laptops in a broad cross-section of industries, according to researchers at Eclypsium.
In a June 20 blog post, Eclypsium researchers said given that the Intel Core processors are used in potentially hundreds of PC products, the vulnerability — CVE-2024-0762 — could potentially affect a wide range of vendors and potentially hundreds of PC products. As an example, the following manufacturers use Intel Core processors: Acer, ASUS, Dell, Fujitsu, HP, Lenovo, and MSI.
“Approximately 200 million laptops were shipped just in 2023,” said Nate Warfield, director of threat research and intelligence at Eclypsium. “The market is dominated by six large PC manufacturers: Lenovo, HP, Dell, Apple, ASUS, and Acer. All of these except Apple are potentially affected. We would estimate that tens of millions of laptops could be affected, which translates to thousands of organizations across a wide variety of industries.”
Warfield explained that CVE-2024-0762 differs from the LogoFail vulnerabilities, which came to light late last year in that they are in different UEFI drivers. LogoFail affected boot logo images while this vulnerability is in the TCG2_CONFIGURATION module which manages the trusted platform modules (TPMs).
UEFI (unified extensible firmware interface) has established itself as a new method by which operating systems and platform firmware communicate, offering a lightweight BIOS alternative that uses only the information needed to launch the OS boot process. UEFI offers enhanced computer security features and supports most existing BIOS systems with backward compatibility.
As explained in the Eclyspsium blog, the vulnerability revolves around an unsafe variable in the TPM configuration that could lead to a buffer overflow and potential malicious code execution. Buffer overflows can cause extra data in a buffer to overflow into adjacent memory, corrupting or overwriting the data there.
“To be clear, this vulnerability lies in the UEFI code handling TPM configuration — in other words, it doesn’t matter if you have a security chip like a TPM if the underlying code is flawed,” said the researchers.
Warfied said his team originally identified the vulnerability on the Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen, both using the latest Lenovo BIOS updates.
However, BIOS-maker Phoenix Technologies has subsequently acknowledged that the same issue applies to multiple versions of its SecureCore firmware that’s included in Intel processor families including the following: AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake, Intel codenames for multiple generations of Intel Core mobile and desktop processors.
John Gallagher, vice president of Viakoo Labs, added that this most rexcent vulnerability is specific to one BIOS provider, Phoenix, and not AMI or Insyde, which are other major BIOS providers. However, Gallagher noted that it broadly impacts systems based on Intel CPUs, still one of the most important players in the PC chip market.
“This is a less ‘developed’ vulnerability than LogoFail, in that it does not have stages of payload deployment after being executed, and is specific to the Phoenix BIOS,” said Gallagher. “It’s similar to LogoFail in how it attacks in the earliest stage of system bootup and provides access to all parts of the system, but different in the scale and maturity of the exploit.”
