Phoenix SecureCore UEFI firmware bug affects Intel processors

A vulnerability in the Phoenix SecureCore UEFI's firmware is present in multiple Intel processors and hundreds of computer models, according to new research from Eclypsium.

The research concerns a high-severity vulnerability tracked as CVE-2024-0762 and dubbed "UEFIcanhazbufferoverflow" by researchers. According to Eclypsium, which first discovered the flaw, CVE-2024-0762 was assigned a 7.5 CVSS score and "involves an unsafe variable in the Trusted Platform Module (TPM) configuration that could lead to a buffer overflow and potential malicious code execution."

Eclypisum warned that UEFI vulnerabilities have become prime targets for attackers because the firmware controls systems' boot process. The security vendor cited recent UEFI attacks such as BlackLotus and MosaicRegressor.

"The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime. This type of low-level exploitation is typical of firmware backdoors (e.g. BlackLotus) that are increasingly observed in the wild," Eclypsium's Thursday blog read. "Such implants give attackers ongoing persistence within a device and often, the ability to evade higher-level security measures running in the operating system and software layers. Additionally, the manipulation of runtime code can make attacks harder to detect via various firmware measurements."

The vulnerability is not in itself new; Phoenix issued an advisory when it was first disclosed last month and released mitigations as early as April. The company urged customers at the time to update to the latest firmware, which includes said mitigations. In an email to TechTarget Editorial on Thursday, a Phoenix spokesperson made the same recommendation.

Eclypsium's blog post provides additional context and technical details about the vulnerability.

Eclypsium initially reported that the vulnerability was present on Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen. Phoenix later said multiple families of Intel processors were affected including Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake.

Eclypsium explained that the flaw is serious because a high-severity vulnerability in something like a UEFI that is licensed by downstream vendors can create the potential for exploitation across the whole supply chain. The security vendor noted that Phoenix SecureCore UEFI is used in hundreds of different PC products.

"UEFI firmware development is a complex and specialized discipline and OEMs will often source their firmware from third-party firmware vendors," the blog read. "In this case, Lenovo licensed firmware from Phoenix Technologies, a well-respected and established firmware vendor. However, this also means that any vulnerabilities in an upstream supply-chain provider can potentially affect many different products and vendors. In this case, any manufacturer that uses versions of Phoenix firmware named in the CVE could be affected."

Nate Warfield, director of threat research and intelligence at Eclypsium, told TechTarget Editorial in an email that Eclypsium has not seen exploitation to date.

"Exploitation is less likely because this is something an attacker would use after gaining access to the system to maintain persistence," Warfield said. "Additionally, Eclypsium is not releasing a proof-of-concept exploit."

TechTarget Editorial contacted Intel for additional comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.