A new vulnerability in Intel processors, CVE-2024-0762, also known as “UEFIcanhazbufferoverflow,” could impact numerous computers. This buffer overflow issue affects multiple versions of Phoenix Technologies’ SecureCore Unified Extensible Firmware Interface (UEFI) firmware. The issue was first disclosed by Phoenix Technologies in May, and researchers at Eclypsium detailed it in a recent blog post.
Eclypsium researchers first discovered the vulnerability in November last year while analyzing UEFI images in Lenovo ThinkPad X1 Carbon (7th Gen) and X1 Yoga (4th Gen) laptops. The problem lies in the unsafe call to the GetVariable() runtime service, which reads the contents of UEFI variables. Due to insufficient checks, attackers can input excessive data, causing an overflow and allowing them to exploit the vulnerability by escalating privileges and executing code on the target machine.
Even more concerning is the wide impact of this vulnerability. Intel supplies most PC processors globally, and SecureCore firmware runs on ten generations of different Intel chips. Eclypsium estimates that hundreds of PC models could be affected.
UEFI is one of the few areas in a machine that can be effectively and persistently attacked by malicious actors. As the firmware interface controlling system startup, it runs the first and highest-privileged code when the user presses the power button. In recent years, UEFI has attracted numerous attackers, enabling them to gain root-level privileges, establish persistence through reboots, bypass security programs that may catch traditional malware, and more.
Eclypsium’s Director of Threat Research and Intelligence, Nate Warfield, explains that UEFI’s unique position makes it an ideal target. If code is executed at the computer’s startup stage, malware can be injected into the boot sector or before Windows starts.
Despite its severity, UEFIcanhazbufferoverflow only scored 7.5 out of 10 on the CVSS rating system. This is mainly because it requires attackers to have access to the target machine. Additionally, exploiting the vulnerability might require customization based on the target computer’s configuration, adding complexity to the attack.
Developing patches also presents challenges. Warfield explains that the vulnerability affects multiple versions of Phoenix UEFI code, requiring vendors to patch all of these versions. Due to different hardware configurations supported by various versions, the patching process becomes even more complex.
Lenovo has been collaborating with researchers in recent months and began releasing fixes last month, but some computers will remain vulnerable until late summer. Other OEMs and ODMs that recently learned of the vulnerability will likely take longer to address it. Meanwhile, organizations using Intel-chip computers can only wait.