Vulnerability in BIOS being used to gain access
Vulnerability in BIOS being used to gain access
Most Windows and Linux systems exposed to the LogoFAIL firmware vulnerability have security layers that prevent detection or removal. The latest update was shared on December 7 at 3:39 PM, noting that BIOS patches were supposed to be released yesterday. Online searches show no such announcements. By Wednesday, the situation was likely addressed, and I contacted Asus' support to report the issue. Expect a reply within 24-48 hours. Updated by RevGAM on December 7, 2023.
Most devices today support UEFI, but many older systems still run BIOS. Whether from outdated hardware or newer setups, users often stick with BIOS instead of UEFI. Additionally, some UEFI boards let you turn off custom logos during startup, which could resolve this problem.
There are two main scenarios: either the firmware is compromised due to a bad BIOS update or a breach, or an attacker has already gained access and modified the device. In the first case, you're safe regardless since the trust chain is broken. In the second, being compromised already makes it irrelevant to try more malware. This kind of media decoding vulnerability isn't rare—see this article about Chrome and Firefox issues: https://arstechnica.com/security/2023/09...r-software
Remote admin rights aren't required to breach and compromise a system. No-click methods are also ineffective.
It was achieved by taking advantage of browser weaknesses and then gaining higher system permissions.
It's worth noting that the assumption about disabling the system before infection is key. Once access is gained, the situation changes little. There are additional weaknesses not discussed here... Do you have any idea what share of users skip UEFI? According to the article, once inside and privileges obtained, simply placing the infected image on the ESP is enough. The method used doesn't affect detection in BIOS or the operating system. Yes, it's crucial because LogoFail provides a backdoor for unrestricted actions. It enables the installation of various tools as needed. Regardless of how it's introduced, the trust chain is broken. It doesn't matter whether it happens remotely or on-site—it's already complete. The only solution is updating the firmware. Clearing the infection from memory won't help since it will be reloaded at startup. Anyone using UEFI is at risk, except for most Dell models and Apple devices.
The situation remains critical regardless of the attacker's approach. It matters because the system must already be compromised before an infected image can be introduced. A non-infected setup cannot be affected by logofail alone—unless the firmware itself was tampered with, such as downloading a corrupted version or receiving a compromised device. In the second scenario, the malicious image in the ESP can be easily removed. A straightforward system format should be enough to overwrite the ESP. This applies even if Dell is also affected, as highlighted in the article.