Security Flaw in Phoenix SecureCore UEFI Affecting Multiple Intel CPUs Unveiled

June 20, 2024

Cybersecurity experts have revealed a security vulnerability in the Phoenix SecureCore UEFI firmware that impacts a range of Intel Core desktop and mobile processors. The flaw, known as CVE-2024-0762, is a case of buffer overflow resulting from an unsafe variable in the Trusted Platform Module (TPM) configuration, leading to potential execution of malicious code.

Eclypsium, a supply chain security company, stated: "The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime." This kind of low-level exploitation is common in firmware backdoors like BlackLotus, which are increasingly seen in the wild. They offer threat actors persistent access to a device and often the ability to bypass higher-level security measures in the operating system and software layers.

Phoenix Technologies addressed the vulnerability in April 2024, following responsible disclosure. Lenovo, the PC manufacturer, also released updates for the flaw last month. The vulnerability affects devices that use Phoenix SecureCore firmware and run on selected Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.

UEFI, which succeeds BIOS, is motherboard firmware used during startup to initialize hardware components and load the operating system through the boot manager. Because UEFI is the first code run with the highest privileges, it is an attractive target for threat actors seeking to deploy bootkits and firmware implants. These can undermine security mechanisms and maintain persistence without detection. Vulnerabilities in the UEFI firmware can pose significant supply chain risks, impacting many products and vendors simultaneously.

"UEFI firmware is some of the most high-value code on modern devices, and any compromise of that code can give attackers full control and persistence on the device," Eclypsium added. This disclosure follows the company's revelation of a similar unpatched buffer overflow flaw in HP's UEFI implementation that affects the HP ProBook 11 EE G1, a device that reached end-of-life (EoL) status in September 2020. It also comes after the disclosure of a software attack called TPM GPIO Reset that could be exploited by attackers to access secrets stored on disk by other operating systems or undermine controls protected by the TPM, such as disk encryption or boot protections.

Latest News

• Active Exploitation of SolarWinds Serv-U Path-Traversal Vulnerability
• Chinese Cyber Espionage Group UNC3886 Exploits Fortinet and VMware Zero-Days
• Critical Vulnerability in Rancher Kubernetes Engine Risks Exposure of Sensitive Credentials
• Critical Security Flaws in VMware vCenter Server Addressed: Immediate Patching Urged
• Discord Spy Campaign Uses Emojis to Control Malware; Exploits Old Linux Flaw