Vulnerability in Phoenix SecureCore threatens Intel chips
Cybersecurity researchers have revealed details of a security flaw in Phoenix SecureCore UEFI firmware, affecting various Intel Core desktop and mobile chips.
The vulnerability, designated CVE-2024-0762 and nicknamed “UEFIcanhazbufferoverflow,” has a CVSS score of 7.5. It stems from a buffer overflow due to an unsafe variable in the Trusted Platform Module (TPM) configuration, allowing local attackers to escalate privileges and execute malicious code within the UEFI firmware during runtime. Eclypsium, a supply chain security firm, noted that this low-level exploitation is common in firmware backdoors like BlackLotus, providing attackers with ongoing device persistence and evasion capabilities against higher-level security measures.
Phoenix Technologies addressed the vulnerability in April 2024 following responsible disclosure, and Lenovo has issued updates as of last month. Affected devices include those running Phoenix SecureCore firmware on Intel processor families such as AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.
UEFI, the successor to BIOS, initializes hardware components and loads the operating system during startup, running with the highest privileges. This makes UEFI a prime target for deploying bootkits and firmware implants that bypass security mechanisms and maintain undetected persistence. Vulnerabilities in UEFI firmware pose significant supply chain risks, potentially affecting numerous products and vendors simultaneously. Eclypsium emphasized that compromising UEFI firmware can grant attackers full control and persistence on a device.
This disclosure follows a similar unpatched buffer overflow flaw in HP’s UEFI implementation for the HP ProBook 11 EE G1, which reached end-of-life in September 2020, and a software attack called TPM GPIO Reset that could expose secrets and undermine TPM-protected controls.
