BIOS Security Vulnerability Affects Intel CPUs In Hundreds Of Devices

A few years ago, PC firmware switched from the aging BIOS system to the Unified Extensible Firmware Interface standard, more commonly known as UEFI. This system is more secure than the legacy BIOS was, but it's not perfect. Cybersecurity firm Eclypsium reports the discovery of a serious bug in UEFI that could affect hundreds of Intel-powered PC models.

Eclypsium says the flaw is present in the Phoenix SecureCore UEFI Trusted Platform Module (TPM), cataloged as CVE-2024-0762. You might be familiar with the TPM from Microsoft's decision to require these components for Windows 11. The TPM is supposed to verify the integrity of the system at boot, making it a valuable security measure. However, the "UEFIcanhazbufferoverflow" bug undoes all that.

Researchers first spotted the bug in the Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices, which were released in 2021 and 2019, respectively. Eclypsium later confirmed with Phoenix that the flaw is present in SecureCore firmware for all of Intel's architectures from Kaby Lake (7th gen) onward, including Coffee Lake, Comet Lake, Ice Lake, Tiger Lake, Rocket Lake, Alder Lake, Jasper Lake, Meteor Lake, and Raptor Lake.

As the name implies, this is a buffer overflow attack. By triggering the bug, an attacker can gain escalated privileges that allow for the execution of arbitrary code within the UEFI firmware. This is, therefore, a serious vulnerability. "UEFI firmware is some of the most high-value code on modern devices," says Eclypsium. With the ability to bypass the TPM, a threat actor can use UEFIcanhazbufferoverflow to install bootkits and other kinds of malware that operate at the firmware level, giving them persistence on a machine even if the operating system is reinstalled. This is something we've seen in the past, too. The good news is this vulnerability is only exploitable with physical access to the system.

feature image phonuefi4%20copy

The flaw affects numerous PC manufacturers like Lenovo, Dell, Acer, and HP, and it's going to take time to fix given the huge number of affected systems. Lenovo has already released updates for a handful of models, and the remainder should be updated by the end of 2024. Other companies have yet to announce update plans.

Even when the updates are rolled out, it may be a challenge to get users to update. Because a bad UEFI update can turn a computer into an expensive brick, these updates require users to opt-in to the installation. If the patched TPM code isn't bundled with automatic updates, less technical users won't know to install it. If you've got an Intel-powered PC, you should keep an eye out for firmware updates.