A newly identified vulnerability in Phoenix SecureCore UEFI firmware, designated as CVE-2024-0762, poses a significant threat to devices utilising a broad spectrum of Intel CPUs. Lenovo has proactively released firmware updates to mitigate this issue.
The vulnerability, known as 'UEFICANHAZBUFFEROVERFLOW,' is a buffer overflow flaw within the Trusted Platform Module (TPM) configuration of the firmware. Exploiting this bug could allow attackers to execute arbitrary code on affected devices.
Discovered by Eclypsium, the flaw was initially detected in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen models. Further investigation confirmed that this vulnerability extends to SecureCore firmware across numerous Intel CPU families, including Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake.
Given the extensive use of these processors, the vulnerability could affect hundreds of models from manufacturers such as Lenovo, Dell, Acer, and HP.
UEFI Firmware: A High-Value Target
UEFI firmware is considered highly secure, featuring mechanisms like Secure Boot. This security measure is compatible with modern operating systems such as Windows, macOS, and Linux. Secure Boot ensures that only trusted drivers and software are used during the boot process, blocking any detected malicious software.
Due to the enhanced security provided by Secure Boot, threat actors increasingly target UEFI vulnerabilities to develop sophisticated malware known as bootkits. These bootkits, such as BlackLotus, CosmicStrand, and MosaicAggressor, load early in the UEFI boot sequence, granting low-level system access and making them exceedingly difficult to detect and eradicate.
Eclypsium discovered that the vulnerability resides in a buffer overflow within the System Management Mode (SMM) subsystem of Phoenix SecureCore firmware. This flaw allows potential memory overwrites, enabling attackers to elevate privileges and gain code execution capabilities within the firmware to install bootkit malware. This issue stems from an unsafe variable in the TPM configuration, which can lead to a buffer overflow and subsequent malicious code execution. This vulnerability impacts the UEFI code handling TPM configuration. Thus, even if a device is equipped with a security chip like a TPM, the underlying code flaw remains a critical issue that needs to be addressed.
After uncovering the bug, Eclypsium coordinated with Phoenix and Lenovo to address the vulnerabilities. In April, Phoenix issued an advisory, and Lenovo began rolling out firmware updates in May for over 150 different models. It is important to note that not all models have available firmware updates yet, with additional updates planned for release later this year.
For IT administrators and cybersecurity professionals, it is imperative to apply these updates promptly to mitigate the risks associated with this vulnerability.
