Blog

Silent Threat Unveiled: The UEFI Firmware Vulnerability (CVE-2024-0762)

5 minute read

  • Lior Tenne

By Lior Tenne – Security Researcher

A critical security flaw (CVE-2024-0762) in Phoenix SecureCore UEFI firmware has recently surfaced, known ominously as “UEFIcanhazbufferoverflow”. This vulnerability has a high severity with a CVSS score of 7.5. It affects numerous families of Intel Core processors across devices from major vendors like Acer, ASUS, Dell, Fujitsu, HP, Lenovo, and MSI. Its implications for Windows laptops, tablets, desktops, and servers are significant, necessitating immediate attention and proactive measures. Previous examples, such as BlackLotus, CosmicStrand, and MosaicRegressor have demonstrated how these types of flaws can significantly challenge security researchers.

What is a CVE?

Common Vulnerabilities and Exposures (CVE) is a standardized list of publicly known cybersecurity vulnerabilities and exposures that provides a common identifier (CVE ID) for each documented issue.

The purpose of CVE is to provide a standardized way to identify vulnerabilities and exposures, facilitating information sharing among cybersecurity professionals. It also serves as a basis for evaluating and prioritizing cybersecurity risks and mitigations.

How does the CVSS scale work?

The CVSS score, or Common Vulnerability Scoring System, is a standardized framework for assessing and communicating the severity of computer system security vulnerabilities. Each metric in the CVSS scale is assigned a value that ranges from 0.0 to 10.0, with 10.0 being the most severe. These values are then combined using a formula to calculate the overall CVSS score, which provides an objective measure of the vulnerability’s severity and helps organizations prioritize their response efforts.

How a UEFI Vulnerability Puts Systems at Risk

Imagine your computer’s startup process is like packing for a trip. The UEFI firmware, responsible for getting everything in order, sometimes makes a mistake with how much space it allocates—similar to how you might accidentally pack too much into a suitcase. This slip-up, especially with variables like ‘TCG2_CONFIGURATION’ in TPM configuration, opens the door for attackers. They can exploit this oversight by stuffing in more data than the system can handle, causing a buffer overflow. It’s like trying to close a suitcase bursting at the seams—it just doesn’t work properly, and things spill out where they shouldn’t.

The following chip lines are potentially vulnerable to CVE-2024-0762:

  • Alder Lake
  • Coffee Lake
  • Comet Lake
  • Ice Lake
  • Jasper Lake
  • Kaby Lake
  • Meteor Lake
  • Raptor Lake
  • Rocket Lake
  • Tiger Lake

At Nagomi, we take a proactive approach to boosting your security. While the exact list of vulnerable chips continuously evolves, you can start identifying potentially affected devices on your network now. Tools like Active Directory, EDR, EPM, or CMDB can help with this, though they usually store the motherboard model rather than the processor number we’re interested in.

To bridge this gap, two websites can convert between motherboard models and processor numbers: https://www.userbenchmark.com/ and https://ark.intel.com/content

Here’s how you can potentially find the processor using your inventory tool’s model field. For example, in Microsoft Entra (formerly Azure Active Directory), you might see a field labeled “model” that reflects the board number. Similarly, the CrowdStrike Falcon platform might show a field named “system_product_name”.

Example: Verifying Processor Models and Potential Vulnerabilities

Let’s use the ‘NUC7i5BNH’ motherboard model as an example. By searching for “NUC7i5BNH” on the Intel website, we can find the processor number under fields like “Processor Number” or “Processor Included”.

userbenchmark.com also helps. Searching “NUC7i5BNH” reveals the processor number under the “CPU” field.

For further confirmation, you can search the processor number on the Kaby Lake Wikipedia page.

Key Defense Recommendations

To address this issue, Phoenix Technologies strongly advises customers to prioritize updating their vulnerable firmware to the latest version. Additionally, we recommend reaching out to your hardware vendor promptly to receive any necessary guidance or updates regarding this vulnerability.

In addition to updating your firmware to mitigate this specific vulnerability, Nagomi suggests bolstering overall UEFI security with EDR vendor solutions such as:

Cortex XDR – UEFI Protection Feature:

Navigate to Endpoints > Policy Management > Windows policies > Malware > UEFI Protection:

  • Set ‘Action Mode’ to – Block (immediately stops suspicious activity by shutting down processes, blocking memory access, and disabling drivers) 
  • Set ‘Quarantine Malicious Files’ to Enabled (isolates any files linked to the threat, preventing them from running but allowing for further investigation)

Microsoft Intune – Device Firmware Configuration Interface Policy:

Intune provides a policy for managing settings within the Unified Extensible Firmware Interface (UEFI). The key feature to configure is whether local users can modify UEFI settings, which is generally not recommended.

Navigate to Intune portal > Devices > Configuration Profiles > Create Profile > set Profile type to ‘Templates and choose Device firmware configuration interface’ > UEFI Access and Set ‘Allow local user to change UEFI settings’ to None.

CrowdStrike Falcon – BIOS Deep Visibility Feature:

The “BIOS Deep Visibility for Windows” feature is designed to provide a comprehensive view of BIOS operations, enabling the detection of potentially suspicious or unanticipated images. 

Navigate to Endpoint security > Configure > Prevention Policies > Windows Policies > Choose ‘Sensor Visibility – Firmware’ settings and enable ‘BIOS Deep Visibility’ feature.

Summary

Nagomi advises a proactive approach: promptly updating vulnerable firmware and in addition, utilizing the defensive configuration to protect against UEFI exploitations. Enhancing UEFI security with tools like Cortex XDR, Microsoft Intune, and CrowdStrike Falcon adds extra layers of defense, ensuring robust protection and continuous monitoring against emerging threats.

By taking these steps and staying vigilant, organizations can fortify their UEFI firmware defenses and enhance overall cybersecurity resilience effectively.

To see how Nagomi can help you maximize the effectiveness of your tools, check out the Nagomi Proactive Defense Platform or book a demo.

Author

Cybersecurity News, Nagomi News

More like this
Gartner Hype Cycle for Security Operations 2024

Blog

Nagomi Recognized in the Gartner® Hype Cycle™ for Security Operations: A Milestone for Automated Security Control Assessment

FacebookLinkedInTweetEmail The Hype Cycle™ for Security Operations has recently been unveiled, and we believe it’s already ...

Read the post: Nagomi Recognized in the Gartner® Hype Cycle™ for Security Operations: A Milestone for Automated Security Control Assessment

Blog

Prioritizing MITRE ATT&CK Techniques for Valid Accounts

FacebookLinkedInTweetEmail The fourth in a five part series exploring how security teams can identify the most ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Valid Accounts

Blog

Are Your Cybersecurity Tools Doing Their Job?

FacebookLinkedInTweetEmail Nagomi Security’s CEO, Emanuel Salmona, puts it plainly: “Most breaches could be avoided with the ...

Read the post: Are Your Cybersecurity Tools Doing Their Job?
os credential dumping nagomi security

Blog

Prioritizing MITRE ATT&CK Techniques for OS Credential Dumping

FacebookLinkedInTweetEmail The third in a five part series exploring how security teams can identify the most ...

Read the post: Prioritizing MITRE ATT&CK Techniques for OS Credential Dumping