Can’t catch a break: Remember BlackLotus? A similar new vulnerability has now appeared, and it could be the next big headache for Intel-based devices, including those based on the latest Raptor Lake platform. It affects the UEFI firmware, potentially giving attackers a backdoor to wreak havoc on vulnerable PCs.
The flaw (CVE-2024-0762 with a reported CVSS of 7.5) was discovered in the Phoenix SecureCore UEFI firmware by cybersecurity firm Eclypsium, who identified it on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices. Further investigation revealed that the vulnerability affects SecureCore firmware for a wide range of Intel CPUs, including Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake.
That’s every “Lake” released so far, so hundreds of models from major manufacturers such as Lenovo, Dell, Acer, and HP could be impacted.
The vulnerability is essentially a buffer overflow bug found in the firmware’s Trusted Platform Module (TPM) configuration, which lets attackers escalate privileges and gain code execution within the UEFI firmware during runtime. By overwriting adjacent memory with carefully crafted data, attackers can elevate privileges and gain code execution abilities within the firmware, enabling them to install bootkit malware.
“To be clear, this vulnerability lies in the UEFI code handling TPM configuration – in other words, it doesn’t matter if you have a security chip like a TPM if the underlying code is flawed,” clarifies Eclypsium.
Such low-level exploits are becoming increasingly common in the wild, providing bad actors with persistent access to devices and the means to work around higher-level security measures in the OS and software layers.
UEFI firmware is generally considered more secure because of Secure Boot, a feature supported by modern operating systems like Windows, macOS, and Linux. But the discovery of this vulnerability highlights the growing trend of targeting UEFI bugs to create malicious bootkits. These bootkits, such as BlackLotus, CosmicStrand, and MosaicAggressor, load early in the UEFI boot process, granting attackers low-level access to the system. This makes detection incredibly difficult.
In response to this discovery, Eclypsium coordinated with Phoenix and Lenovo to address the flaw. Lenovo has already released firmware updates for affected devices, and customers are advised to refer to their respective vendors for the latest firmware updates. However, it is important to note that not all models have available firmware updates at the time of writing, with many planned for release later this year.
If you’re an Intel user, it’s crucial to update your BIOS as soon as possible. But before diving in headfirst, make sure to back up your important files and the original BIOS, just in case things go sideways during the update process.
Meanwhile, Phoenix Technologies disclosed the vulnerability in May, announcing that mitigations were released as early as April. “Phoenix Technologies strongly recommends customers to update their firmware to the latest version and contact their hardware vendor as soon as possible to prevent any potential exploitation of this flaw,” it said.