CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.6%
Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings.
UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during the early phases of an UEFI based OS. One such information stored in the ESP is a personalizable boot logo.
Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label LogoFAIL
to track and support coordination and mitigation of these vulnerabilities.
Note: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.
Binarly Advisory | CVE’s | Primary Vendor |
---|---|---|
BRLY-2023-018 | CVE-2023-39539 | AMI |
BRLY-2023-006 (1) | CVE-2023-40238 | Insyde |
BRLY-2023-006 (2) | CVE-2023-5058 | Phoenix |
811862
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2023-07-11 Updated: 2023-12-06
Statement Date: September 20, 2023
CVE-2023-39539 | Affected |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
Changed status from “not affected” to “affected” after researcher provided another image that engineering teams were able to successfully reproduce the issue with.
Notified: 2023-07-11 Updated: 2024-01-31
Statement Date: January 31, 2024
CVE-2023-39539 | Affected |
---|---|
CVE-2023-40238 | Affected CVE-2023-5058 |
Fujitsu is aware of the vulnerabilities in AMI and Insyde firmware (AMI Aptio V, Insyde InsydeH2O UEFI-BIOS) known as “LogoFAIL”.
The affection state of Fujitsu CCD (Client Computing Device) is still under investigation. Several updates for Fujitsu SERVER devices were made available.
The Fujitsu PSIRT (Europe) released FJ-ISS-2023-112100 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2023-112100-Security-Notice.pdf
In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Europe) ([email protected]).
Notified: 2023-07-11 Updated: 2023-12-18
Statement Date: December 16, 2023
CVE-2023-39539 | Unknown |
---|---|
Vendor Statement: | |
Insyde products are not affected by this vulnerability. | |
CVE-2023-40238 | Affected CVE-2023-5058 |
Insyde products are not affected by this vulnerability. |
Certain OEM products whose firmware uses a customized version of Insyde’s InsydeH2O are affected by this vulnerability. The issue was discovered by Binarly and was assigned the CVE CVE-2023-40238.
Notified: 2023-07-11 Updated: 2023-12-06
Statement Date: November 13, 2023
CVE-2023-39539 | Affected |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-15
Statement Date: November 29, 2023
CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
At this time, we believe that our base product is not affected. We have made several attempts to reproduce it in our base product and been unable to.
That said, customers of ours may have added custom features to our product that introduce this vulnerability. We are working with our customers to assist them to develop fixes that will mitigate this vulnerability.
Update While we have not been able to reproduce this in our base product, we continue to see client’s shipping products that are affected. We have found that extensions Phoenix assisted our clients with are affected. We have provided updates to our customers and they are producing firmware updates. CVE-2023-5058
Notified: 2023-11-21 Updated: 2023-12-19
Statement Date: December 19, 2023
CVE-2023-39539 | Not Affected |
---|---|
CVE-2023-40238 | Not Affected CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06
Statement Date: September 20, 2023
CVE-2023-39539 | Not Affected |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06
Statement Date: July 11, 2023
CVE-2023-39539 | Not Affected |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-12-04 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-11-21 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
Notified: 2023-07-11 Updated: 2023-12-06 CVE-2023-39539 | Unknown |
---|---|
CVE-2023-40238 | Unknown CVE-2023-5058 |
We have not received a statement from the vendor.
View all 23 vendors __View less vendors __
CVE IDs: | CVE-2023-39539 CVE-2023-40238 CVE-2023-5058 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2023-12-06 Date First Published: |
www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf#page=536
9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023009.pdf
binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html
learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi?view=windows-11
uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html
uefi.org/specs/UEFI/2.10/33_Human_Interface_Infrastructure.html
www.insyde.com/security-pledge/SA-2023053
www.phoenix.com/security-notifications/cve-2023-5058/