UEFI Security Exploit Discovered, Allows Backdoors on Linux Machines
How the Exploit Works
Normally, Secure Boot prevents the UEFI from running all subsequent files unless they bear a digital signature certifying those files are trusted by the device maker. The exploit bypasses this protection by injecting shell code stashed in a malicious bitmap image displayed by the UEFI during the boot-up process. The injected code installs a cryptographic key that digitally signs a malicious GRUB file along with a backdoored image of the Linux kernel, both of which run during later stages of the boot process on Linux machines.
The Silent Installation of the Key
The silent installation of this key induces the UEFI to treat the malicious GRUB and kernel image as trusted components, and thereby bypass Secure Boot protections. The final result is a backdoor slipped into the Linux kernel before any other security defenses are loaded.
Diagram Illustrating the Execution Flow
Diagram illustrating the execution flow of the LogoFAIL exploit Binarly found in the wild.
Credit: Binarly
Expert Analysis
In an online interview, HD Moore, CTO and co-founder at runZero and an expert in firmware-based malware, explained the Binarly report this way:
The Binarly paper points to someone using the LogoFAIL bug to configure a UEFI payload that bypasses secure boot (firmware) by tricking the firmware into accepting their self-signed key (which is then stored in the firmware as the MOK variable). The evil code is still limited to the user-side of UEFI, but the LogoFAIL exploit does let them add their own signing key to the firmware’s allow list (but does not infect the firmware in any way otherwise).
Affected Devices
Machines vulnerable to the exploit include some models sold by Acer, HP, Fujitsu, and Lenovo when they ship with a UEFI developed by manufacturer Insyde and run Linux. Evidence found in the exploit code indicates the exploit may be tailored for specific hardware configurations of such machines. Insyde issued a patch earlier this year that prevents the exploit from working. Unpatched devices remain vulnerable. Devices from these manufacturers that use non-Insyde UEFIs aren’t affected.
Conclusion
The discovery of the LogoFAIL exploit highlights the importance of ensuring the security of UEFI firmware and the need for regular updates and patches. It also emphasizes the need for users to remain vigilant and take steps to protect their devices from potential threats.
FAQs
Q: What is the LogoFAIL exploit?
A: The LogoFAIL exploit is a security vulnerability that allows attackers to bypass Secure Boot protections on Linux machines by injecting shell code into the UEFI firmware during the boot-up process.
Q: How does the exploit work?
A: The exploit injects shell code into the UEFI firmware, which installs a cryptographic key that digitally signs a malicious GRUB file along with a backdoored image of the Linux kernel.
Q: Which devices are affected by the exploit?
A: Devices from Acer, HP, Fujitsu, and Lenovo that ship with a UEFI developed by manufacturer Insyde and run Linux are vulnerable to the exploit.
Q: Is there a patch available for the exploit?
A: Yes, Insyde issued a patch earlier this year that prevents the exploit from working. Unpatched devices remain vulnerable.
