The latest UEFI security bug affects almost every server and PC

The latest security headline affecting the PC industry, dubbed LogoFAIL and discovered by Binarly Research uncovers a typical pattern. A custom image can be added to the initial pre-OS boot process, a change which seems a harmless nod to user experience but brings unanticipated risks. After all who doesn’t want a personal logo to flash up when you power on? You might choose a picture of your cat, your favourite band or movie or how about a buffer overflow vulnerability?

Binarly were able to detect that image parsers for these boot logos had been added without properly checking the code for basic errors, like whether an improperly formatted image would be able to write to unintended portions of memory. By fuzzing the image parsers Binarly discovered vulnerabilities in not just one vendor but 10 different vendors systems, all using code from a shallow pool of component vendors. Because the UEFI firmware wasn’t interesting or attention grabbing it wasn’t being updated and these old and known insecure modules were being shipped by ODMs to their OEM customers - all the leading industry brands - without independant validation. A classic supply chain vulnerability affecting almost the entire industry.

Once such an image is loaded the injected code is executed from the UEFI Driver Execution Environment. The OS is completely bypassed and code can be executed directly from the motherboard during the early stages of UEFI boot allowing an attacker to inspect files on disk or inject their own code into the OS.

How one bug can affect an entire industry

If you are using a server from one of the main OEMs then you are not using a single product. You have been sold a composite product, built from parts from multiple vendors. Companies like Supermicro, Intel, Dell and HPE do not produce all their own hardware and software. For add-in cards, motherboards and many other components these companies purchase code and sub-components from vendors around the world and merely assemble the final product. Some customization is done for branding purposes but you don’t have to look far to see firmware labelled as LSI (a part of Broadcom), ASPEED and others. Those others include code for the central part of the boot process where giants like American Megatrends International (AMI) and Phoenix are still dominant.

Starting with the IBM style BIOS system in the late 70s and early 80s these companies have dominated the market in BIOS. When BIOS became the modern UEFI they transitioned to UEFI and continue to dominate in that market.

You can guess where we’re going with this. Large companies, dominant market position, software that most people don’t see or think about. If you guessed that this software wasn’t properly scanned for security vulnerabilities then you guessed right.

SoftIron is fixing supply chain security

Supply chain vulnerabilities and the increasing levels of assumption in the computer server industry are why we work hard to ensure supply chain security. Just because something has worked well for 25 years doesn’t mean that mistakes were not made. In fact complacency due to stagnation, a lack of continued oversight and a lack of attention from the wider industry can lead to serious problems over time. Supply chain security is an evergreen process that needs continued maintenance, diligence and reviews to guarantee a secure product.

When building HyperCloud we inspect all code that goes into the system, we even build our own BMC from scratch. We look at reference designs and check for issues, for instance we receive UEFI code from a supplier but we update and build our own UEFI firmware in-house, enabling only the options that our platform needs. SoftIron maintains thorough Software Bills of Materials (SBOMs) for all components, not just the operating system but all firmware and even firmware constituents which means looking inside artifacts like UEFI firmware and not taking them at face value. HyperCloud can then ensure a robust level of supply chain security keeping our products and our customers safe.

We know that patching is painful, that’s why all your HyperCloud patches for firmware and software are applied in a single automatic update so you stay secure without the stress of managing hundreds of types of patches. Security is important to SoftIron so we are committed to fixing every known vulnerability in the CVE program that impacts any part of HyperCloud. Coupled with our stateless nodes which get a fresh OS image on every boot that means there is no part of your SoftIron private cloud infrastructure that will ever remain out of date or unpatched when the need arises.

Related articles