By Lior Tenne – Security Researcher
A critical security flaw (CVE-2024-0762) in Phoenix SecureCore UEFI firmware has recently surfaced, known ominously as “UEFIcanhazbufferoverflow”. This vulnerability has a high severity with a CVSS score of 7.5. It affects numerous families of Intel Core processors across devices from major vendors like Acer, ASUS, Dell, Fujitsu, HP, Lenovo, and MSI. Its implications for Windows laptops, tablets, desktops, and servers are significant, necessitating immediate attention and proactive measures. Previous examples, such as BlackLotus, CosmicStrand, and MosaicRegressor have demonstrated how these types of flaws can significantly challenge security researchers.
What is a CVE?
Common Vulnerabilities and Exposures (CVE) is a standardized list of publicly known cybersecurity vulnerabilities and exposures that provides a common identifier (CVE ID) for each documented issue.
The purpose of CVE is to provide a standardized way to identify vulnerabilities and exposures, facilitating information sharing among cybersecurity professionals. It also serves as a basis for evaluating and prioritizing cybersecurity risks and mitigations.
How does the CVSS scale work?
The CVSS score, or Common Vulnerability Scoring System, is a standardized framework for assessing and communicating the severity of computer system security vulnerabilities. Each metric in the CVSS scale is assigned a value that ranges from 0.0 to 10.0, with 10.0 being the most severe. These values are then combined using a formula to calculate the overall CVSS score, which provides an objective measure of the vulnerability’s severity and helps organizations prioritize their response efforts.
How a UEFI Vulnerability Puts Systems at Risk
Imagine your computer’s startup process is like packing for a trip. The UEFI firmware, responsible for getting everything in order, sometimes makes a mistake with how much space it allocates—similar to how you might accidentally pack too much into a suitcase. This slip-up, especially with variables like ‘TCG2_CONFIGURATION’ in TPM configuration, opens the door for attackers. They can exploit this oversight by stuffing in more data than the system can handle, causing a buffer overflow. It’s like trying to close a suitcase bursting at the seams—it just doesn’t work properly, and things spill out where they shouldn’t.
The following chip lines are potentially vulnerable to CVE-2024-0762:
- Alder Lake
- Coffee Lake
- Comet Lake
- Ice Lake
- Jasper Lake
- Kaby Lake
- Meteor Lake
- Raptor Lake
- Rocket Lake
- Tiger Lake
At Nagomi, we take a proactive approach to boosting your security. While the exact list of vulnerable chips continuously evolves, you can start identifying potentially affected devices on your network now. Tools like Active Directory, EDR, EPM, or CMDB can help with this, though they usually store the motherboard model rather than the processor number we’re interested in.
To bridge this gap, two websites can convert between motherboard models and processor numbers: https://www.userbenchmark.com/ and https://ark.intel.com/content.
Here’s how you can potentially find the processor using your inventory tool’s model field. For example, in Microsoft Entra (formerly Azure Active Directory), you might see a field labeled “model” that reflects the board number. Similarly, the CrowdStrike Falcon platform might show a field named “system_product_name”.
Example: Verifying Processor Models and Potential Vulnerabilities
Let’s use the ‘NUC7i5BNH’ motherboard model as an example. By searching for “NUC7i5BNH” on the Intel website, we can find the processor number under fields like “Processor Number” or “Processor Included”.
userbenchmark.com also helps. Searching “NUC7i5BNH” reveals the processor number under the “CPU” field.
For further confirmation, you can search the processor number on the Kaby Lake Wikipedia page.
Key Defense Recommendations
To address this issue, Phoenix Technologies strongly advises customers to prioritize updating their vulnerable firmware to the latest version. Additionally, we recommend reaching out to your hardware vendor promptly to receive any necessary guidance or updates regarding this vulnerability.
In addition to updating your firmware to mitigate this specific vulnerability, Nagomi suggests bolstering overall UEFI security with EDR vendor solutions such as:
Cortex XDR – UEFI Protection Feature:
Navigate to Endpoints > Policy Management > Windows policies > Malware > UEFI Protection:
- Set ‘Action Mode’ to – Block (immediately stops suspicious activity by shutting down processes, blocking memory access, and disabling drivers)
- Set ‘Quarantine Malicious Files’ to Enabled (isolates any files linked to the threat, preventing them from running but allowing for further investigation)
Microsoft Intune – Device Firmware Configuration Interface Policy:
Intune provides a policy for managing settings within the Unified Extensible Firmware Interface (UEFI). The key feature to configure is whether local users can modify UEFI settings, which is generally not recommended.
Navigate to Intune portal > Devices > Configuration Profiles > Create Profile > set Profile type to ‘Templates and choose Device firmware configuration interface’ > UEFI Access and Set ‘Allow local user to change UEFI settings’ to None.
CrowdStrike Falcon – BIOS Deep Visibility Feature:
The “BIOS Deep Visibility for Windows” feature is designed to provide a comprehensive view of BIOS operations, enabling the detection of potentially suspicious or unanticipated images.
Navigate to Endpoint security > Configure > Prevention Policies > Windows Policies > Choose ‘Sensor Visibility – Firmware’ settings and enable ‘BIOS Deep Visibility’ feature.
Summary
Nagomi advises a proactive approach: promptly updating vulnerable firmware and in addition, utilizing the defensive configuration to protect against UEFI exploitations. Enhancing UEFI security with tools like Cortex XDR, Microsoft Intune, and CrowdStrike Falcon adds extra layers of defense, ensuring robust protection and continuous monitoring against emerging threats.
By taking these steps and staying vigilant, organizations can fortify their UEFI firmware defenses and enhance overall cybersecurity resilience effectively.
To see how Nagomi can help you maximize the effectiveness of your tools, check out the Nagomi Proactive Defense Platform or book a demo.