LogoFAIL firmware attack (with link to Insyde's security advisory)

Andrew_Kahn · December 7, 2023, 3:16am

Thanks @nrp for chiming in! As a security professional (CISSP and CCSP), I was curious to see what Framework and Insyde’s response would be to this. Pumped to see Insyde and Framework are on top of it.

baptistemm · December 7, 2023, 4:26pm

Interested read from Ars Technica

UEFIs booting Windows and Linux devices can be hacked by malicious logo images.

LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year’s worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware

the company Binarly is currently working with Framework on their firmwares

Simon84 · December 7, 2023, 5:53pm

Yep, I also want to know if a changed image would result in a different TPM2 state and which PCR would differ.

Alan_Pearce · December 7, 2023, 9:20pm

I guess this attack would also be an attack vector for loading a logo that could compromise a machine.

Andy_Coder · December 7, 2023, 10:36pm

That’s why you shouldn’t enable passwordless sudo.

ESP requires elevated privileges to write to, so you are protected in this case if keystroke injection can’t elevate privileges without authentication (assuming attacker doesn’t know your password)

nrp · December 8, 2023, 1:28am

Based on analysis from Binarly, we believe each of our currently launched platforms except Chromebook Edition is vulnerable to some form of LogoFAIL. We are working with our upstream UEFI supplier, Insyde, in order to get the necessary update from them to resolve this. This is occurring as part of our sustaining software initiative.

MJ1 · December 8, 2023, 2:05am

Thank you for the quick answer and openness. Other companies might be temped to delay saying that.

Everyone should remember that due to there being far fewer Framework Laptops out in the wild vs models from big brands, we should be pretty far down on a target list.

sgilderd · December 8, 2023, 6:49am

This is great to hear. Thanks @nrp. It will be a really good example to show how FW has strengthened the BIOS maintenance approach.

Andrew_Kahn · December 8, 2023, 1:56pm

Figured as much. Thanks for acknowledging. My research with Recorded Future’s threat intel platform suggests this is already beginning to be exploited in the wild with bad logos being implemented. Glad to see Framework and Insyde are on it and keeping our computers safe.

Simon84 · December 8, 2023, 8:13pm

@nrp Can you please provide some insights here? I guess the original logo is measured into PCR0, so this could detect an attack (since the framework logo is not protected by intel boot guard). Would a changed image via the ESP change e.g. PCR1?

Simon84 · December 8, 2023, 8:20pm

@nrp: Is there a way to skip the image parsing process? Let’s say I press F2 at boot to enter the BIOS, is a custom logo not parsed? If so, if I then continue to boot, do I skip an attack?
Especially if it will take longer to release BIOS updates, please investigate some possible “mitigations”.

AquilaFasciata · December 8, 2023, 8:37pm

The only time anyone has ever preferred having a Chromebook

CodeAsm · December 9, 2023, 1:27pm

coreboot is one of the things why Id like a chromebook. if only I could have bought one. (europe, none availeble when I ordered my 12th gen)

Nicolas_Pascual · December 9, 2023, 7:50pm

Hello,
As you may know, a vulnerability in the UEFI of x86 and ARM processors has been found. Since this affects the UEFI, it can infect both Linux and Windows.
I assume Framework will issue a UEFI update to address the issue. Until now, be careful.

Alan_Pearce · December 10, 2023, 12:39am

There is already a thread here about this subject, into which FW have replied with details of what is happening about it.

Adrian_Joachim · December 10, 2023, 6:02pm

It may make sense to pin this thread for a bit to avoid someone starting a new one every couple minutes.

Alex_S · December 11, 2023, 6:39pm

Looks like it’s supported by mrchromebox alternative coreboot firmware too according to the Chrultrabook device support table

CodeAsm · December 12, 2023, 4:29pm

The chromebook version of Framework’s laptop is, Framework | Choose Framework Laptop Chromebook Edition (12th Gen (if this page doesnt work, try set your region to US. exactly exposing my issue, I cannot order a Chromebook edition in europe)
The hardware is confirmed to be different in such a way, doubt its firmware will be able to be flashed and functional on a non-chromebook 12th gen FW13

Alex_S · December 12, 2023, 6:37pm

Most Chromebooks would likely be built this way. It’s part of the spec Google requires for a device to be considered a Chromebook. While the Framework Chromebooks are out of stock, so I’m unable to help test alternative Coreboot firmware, my Lenovo C13 Yoga is successfully running openSUSE Tumbleweed under custom firmware currently so that’s fun.

tom_chiverton · December 13, 2023, 7:01pm

I’d just love to change the logo