In Phoenix SecureCore UEFI firmware, used on many laptops, PCs and servers with Intel processors, identified vulnerability (CVE-2024-0762), which allows, if you have access to the system, to achieve code execution at the firmware level. The vulnerability can be used after a successful attack on a system to leave a backdoor in the firmware that runs on the operating system, bypasses the OS security mechanisms, is invisible to malware detection programs, and remains present after the OS is reinstalled.
The vulnerability is caused by the unsafe use of the TCG2_CONFIGURATION variable in the TPM (Trusted Platform Module) configuration, manipulation of which can lead to a buffer overflow and potential code execution with UEFI firmware privileges, i.e. at the SMM (System Management Mode) level, which has a higher priority than the hypervisor mode and zero ring of protection, and provides unrestricted access to all system memory. The vulnerability is present in the TPM configuration processing code in UEFI and occurs regardless of the presence of a TPM chip.
The cause of the overflow is an incorrect double call by the UEFI firmware to the GetVariable service, if the TCG2_CONFIGURATION value exceeds the size of the buffer initially allocated on the stack, despite the fact that in both calls the same data_size size value was used without a separate size check after the first call. If an attacker is able to change the value of the UEFI variable TCG2_CONFIGURATION while the system is running, he can set it large enough so that the first call returns EFI_BUFFER_TOO_SMALL. Since after the first call the data_size value will be set to the size of the TCG2_CONFIGURATION variable instead of the size of the existing buffer, the second call will lead to a buffer overflow.
void Function_0000537c(void){ ... ulonglong data_size; char buffer (8); ... EVar1 = (*gRS_2->GetVariable) ((CHAR16 *)TCG2_CONFIGURATION, &gTCG2_CONFIG_FORM_SET_GUID, (UINT32 *)0x0, &data_size, buffer); if (EVar1 == EFI_BUFFER_TOO_SMALL) { EVar1 = (*gRS_2->GetVariable) ((CHAR16 *)TCG2_CONFIGURATION,&gTCG2_CONFIG_FORM_SET_GUID, (UINT32 *)0x0,&data_size,buffer)The problem manifests itself in Phoenix SecureCore firmware used on devices with Intel processors of the AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake and TigerLake family of processors. The ability to carry out an attack on a specific system depends on the firmware settings and the ability to gain access to the TCG2_CONFIGURATION variable. An example of exploitation of the vulnerability was demonstrated on the Lenovo ThinkPad X1 Carbon Gen and Lenovo ThinkPad X1 Yoga 4th generation laptops. The vulnerability was fixed in the April and May firmware updates from Technologies And Lenovo.
Thanks for reading: