A newly discovered vulnerability, referenced as CVE-2024-0762, compromises the security of various Intel Core Desktop and mobile processors. This issue, detected initially in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen, presents a high severity rating of 7.5. Subsequent evaluations have revealed that the problem affects multiple versions of Phoenix Technologies’ SecureCore firmware, impacting a wide range of devices. More detailed information is available on the Eclypsium blog.
Impacted Processors and Devices
The vulnerability, dubbed “UEFIcanhazbufferoverflow,” spans numerous Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. Devices from various OEMs and ODMs rely on these processors, making the reach of this security flaw extensive. Phoenix SecureCore UEFI firmware is a common feature in many of these devices, further broadening the risk.
Technical Details
The core issue lies in the UEFI code handling the TPM (Transform Platform Module) configuration, leading to a buffer overflow vulnerability. This flaw allows local threat actors to gain elevated privileges and execute remote code during UEFI firmware runtime. The exploitability of this vulnerability hinges on the configuration and permissions of the TCG2_CONFIGURATION variable, which varies across different platforms.
Additionally, the vulnerability can be exploited similarly to firmware backdoors, commonly utilized by malicious actors. If exploited, it could enable attackers to evade security measures at the operating system and software levels, making detection and mitigation more challenging.
Information from other sources highlights that the module, GUID: E6A7A1CE-5881-4B49-80BE-69C91811685C, is particularly vulnerable. Two calls to GetVariable with the argument “TCG2_CONFIGURATION” and the same DataSize without adequate checks are the crux of the issue. The first call returns EFI_BUFFER_TOO_SMALL, setting the data_size to the UEFI variable length, and the second call exploits this to overflow the buffer, leading to a stack buffer overflow.
Comparatively, earlier reports focused more on firmware-specific vulnerabilities and their potential exploit methods, while current insights address broader implications across various Intel processor families and the necessity for firmware updates by all affected users.
Users who depend on the vulnerable firmware versions are strongly advised to apply vendor-issued patches to rectify this security flaw. Ignoring these updates could leave numerous devices exposed to substantial risks, enabling attackers to bypass existing security protocols and execute harmful actions undetected.
Understanding the technical intricacies of this vulnerability is crucial for addressing it effectively. The UEFIcanhazbufferoverflow calls attention to the need for vigilant firmware security practices and timely updates to mitigate potential threats. As malicious actors continually evolve their tactics, maintaining robust security measures becomes increasingly vital for safeguarding sensitive information and ensuring system integrity.
