UEFIcanhazbufferoverflow Vulnerability Impacts Intel CPUs
The vulnerable Phoenix SecureCore UEFI firmware spans various Intel Core processor generations: AlderLake, CoffeeLake, CometLake, IceLake, and others.
Ashish Khaitan June 21st, 2024
Share on LinkedInShare on Twitter
A newly discovered vulnerability, CVE-2024-0762, dubbed “UEFIcanhazbufferoverflow,” has recently come to light in the Phoenix SecureCore UEFI firmware, impacting various Intel Core desktop and mobile processors. The UEFIcanhazbufferoverflow vulnerability, disclosed by cybersecurity researchers, exposes a critical buffer overflow issue within the Trusted Platform Module (TPM) configuration, potentially allowing malicious actors to execute unauthorized code.
Eclypsium, a firm specializing in supply chain security, identified the vulnerability through its automated binary analysis system, Eclypsium Automata. They reported that the flaw could be exploited locally to escalate privileges and gain control over the UEFI firmware during runtime. This exploitation bypasses higher-level security measures, making it particularly concerning for affected devices.
Decoding the UEFIcanhazbufferoverflow Vulnerability and its Impact
The affected Phoenix SecureCore UEFI firmware is utilized across multiple generations of Intel Core processors, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Given the widespread adoption of these processors by various OEMs, the UEFIcanhazbufferoverflow vulnerability has the potential to impact a broad array of PC products in the market.
According to Eclypsium researchers, the vulnerability arises due to an insecure variable handling within the TPM configuration, specifically related to the TCG2_CONFIGURATION variable. This oversight could lead to a scenario where a buffer overflow occurs, facilitating the execution of arbitrary code by an attacker.
Phoenix Technologies, in response to the disclosure, promptly assigned CVE-2024-0762 to the UEFIcanhazbufferoverflow vulnerability and released patches on May 14, 2024, to mitigate the issue. The severity of the vulnerability is reflected in its CVSS score of 7.5, indicating a high-risk threat.
The Importance of UEFI Architecture Security
In practical terms, the exploitation of UEFI firmware vulnerabilities like “UEFIcanhazbufferoverflow” highlights the critical role of firmware in device security. The UEFI architecture serves as the foundational software that initializes hardware and manages system runtime operations, making it a prime target for attackers seeking persistent access and control.
This incident also highlights the challenges associated with supply chain security, where vulnerabilities in upstream components can have cascading effects across multiple vendors and products. As such, organizations are advised to leverage comprehensive scanning tools to identify affected devices and promptly apply vendor-supplied firmware updates.
For enterprises relying on devices with potentially impacted firmware, proactive measures include deploying solutions to continuously monitor and assess device integrity. This approach helps mitigate risks associated with older devices and ensures ongoing protection against active exploitation of firmware-based vulnerabilities.