Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Image files in UEFI can be abused to modify boot behavior
Name VU#811862 First vendor Publication 2023-12-06
Vendor VU-CERT Last vendor Modification 2024-03-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores



Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings.


UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during the early phases of an UEFI based OS. One such information stored in the ESP is a personalizable boot logo.

Binarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label LogoFAIL to track and support coordination and mitigation of these vulnerabilities.

Note: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.

Binarly AdvisoryCVE'sPrimary Vendor
BRLY-2023-018CVE-2023-39539 AMI
BRLY-2023-006 (1)CVE-2023-40238 Insyde
BRLY-2023-006 (2) CVE-2023-5058 Phoenix

Original Source

Url : https://kb.cert.org/vuls/id/811862

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-434 Unrestricted Upload of File with Dangerous Type (CWE/SANS Top 25)
50 % CWE-312 Cleartext Storage of Sensitive Information

CPE : Common Platform Enumeration

Application 11
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2024-03-04 21:22:14
  • Multiple Updates
2024-02-01 00:22:14
  • Multiple Updates
2023-12-19 21:22:10
  • Multiple Updates
2023-12-18 05:22:11
  • Multiple Updates
2023-12-15 21:22:12
  • Multiple Updates
2023-12-06 21:22:13
  • First insertion