Intel
,

UEFI vulnerability for Intel processors opens the doors for a bootkit

Researchers have disclosed details of a vulnerability in Phoenix Technologies’ firmware for Intel processors.

Researchers have released details of a vulnerability in Intel processors that may expose hundreds of types of PCs.

The vulnerability, CVE-2024-0762, affects a number of different versions of Phoenix Technologiesā€™ UEFI code and affects devices using Phoenix SecureCore firmware running on Intel processor families including: AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.

To really understand what the fuss is about, you should realize that until UEFI was proposed, computers relied on a rather archaic system called the Master Boot Record (MBR). The MBR worked in tandem with the BIOS to achieve the bootstrap process, which is the first thing a PC does when you turn the power on.

The introduction of UEFI replaced the BIOS and did away with the MBR altogetherā€”it uses the Guide Partition Table (GPT) instead.

The early start of this codeā€”or firmwareā€”presents an attacker with the ability to run malicious code before anything else, including your security software. Which is why we often refer to malware that operates at this level as a “bootkit”, because it’s a rootkit that starts with the boot of the system.

The primary benefit of a bootkit infection is that it cannot be detected by standard operating systems processes because all the components reside outside the Windows file system. Attackers can use them to run malware with root privileges and bypass protective software.

Phoenix Technologies released mitigations for this vulnerability in April 2024, but that is not yet a reason for a sigh of relief. It will take a very long time for all the systems affected to get a fix because a second vendor has to incorporate the patches into their software before they reach an end user.

This has always been a particularly acute problem on Android phones. If there is an update for the Android operating system, it can take a very long time to reach end users, because many mobile phone vendors sell their devices with their own tweaked versions of Android.

Likewise, this is not a quick and easy fix. Phoenix technologies may end up having to fix a lot of different patches because of tiny differences in system architecture. One that supports this many GPUs, and another which supports different hardware configurations for the motherboard etc.

Lenovo, for example, started releasing fixes last month but expects that some computers will remain exposed until later in the summer.

On the upside, an attacker will run into very similar problems. Since the vulnerability is a buffer overflow flaw, a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

The adjacent region is likely to be different for different models, so an exploit that works on all the different models will be hard to find. And an attacker will need to get physical access to the target system to exploit the vulnerability.

So, for now, itā€™s business as usual. Donā€™t let anyone near your PCs who shouldn’t have access. If you suspect foul play, check your policy settings and make sure to include a rootkit scan on your endpoints.

Users of Intel based systems should also refer to their relevant system manufacturer for guidance on affected devices and available updates.


We donā€™t just report on vulnerabilitiesā€”we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.