PCs with Intel processors: UEFI flaw allows malicious code to pass through
Attackers can attack computers due to a bug in the Phoenix UEFI firmware. Lenovo devices with Intel CPUs are among those affected.
(Image: Thapana_Studio/Shutterstock.com)
Security researchers from Eclypsium have discovered a vulnerability in Phoenix's SecureCore UEFI firmware that allows attackers to infect PCs with malicious code. According to them, only certain devices with Intel processors of different generations are at risk.
Background information
In an article, they explain that the vulnerability (CVE-2024-0762 "high") affects a variable in the context of the Trusted Platform Module (TPM). Because the vulnerability affects the UEFI code for TPM configuration, the security chip cannot provide any protection in this case.
The researchers claim to have discovered the vulnerability in Lenovo's ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops with Intel CPUs. In May 2024, Phoenix confirmed the vulnerability and announced that the Intel processors of the AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake and TigerLake series are affected.
The first security updates, for example from Lenovo, have been available since April 2024. The security researchers have only now published further details on the security problem. It remains unclear which manufacturers and PC models are still impacted.
To exploit the vulnerability, local attackers must target the vulnerable variable TCG2_CONFIGURATION. Because there are no security checks in this context, they can intervene manipulatively, trigger a memory error and then execute their code. Whether an attacker needs to have direct access to a PC to do this is not specifically stated in the security researchers' article.
Far-reaching danger
The problem is that many computer manufacturers use the UEFI firmware from Phoenix and thus make their devices vulnerable with the vulnerable code. Manufacturers first have to realize this, identify affected product series and then distribute security updates, which owners then have to install. This complexity suggests that many PCs remain unpatched and therefore vulnerable.
If attackers persistently implant malicious code and install a backdoor even before an operating system is started, this has fatal consequences: Under Windows, for example, they can operate in secret from virus scanners and thus manipulate the operating system unnoticed by the victim to install online banking malware, for example.
Something similar happened, for example, in the case of the BlackLouts UEFI bootkit. The attackers bypassed the UEFI protection mechanism Secure Boot, attacked a fully patched Windows 11 and deactivated the BitLocker encryption and the Defender virus scanner, among other things.
(des)
