AMD motherboard partners start rolling out BIOS updates with LogoFAIL bugfix

Roshan Ashraf Shaikh
·3 min read
.
.

Thanks to AMD's AGESA updates, its motherboard partners have started rolling out BIOS updates containing a fix to protect the BIOS from LogoFAIL, a security flaw that allows the UEFI boot screen to be hijacked. LogoFAIL was discovered in Dec. 2023.

Intel patched this vulnerability with Intel ME Version 16.1.30.2307 the same month it was reported. Although the issue was resolved by AMD's AGESA Version 1.2.0.b a few months ago, AMD released the latest 'c' version, which includes fixes for other vulnerabilities, a few weeks ago. As a result, some motherboard vendors, such as Gigabyte, have started releasing BIOS updates with the AGESA 'b' variation for some AMD chipsets, while Asus and MSI released BIOS updates with the latest AGESA update.

Motherboard makers have yet to release BIOS updates for any of these AGESA versions for X670 chipsets.

How does LogoFAIL work?

LogoFAIL is platform-agnostic flaw — it affects both Intel and AMD platforms with BIOS made by independent BIOS vendors such as AMI, Phoenix, and Insyde. Because the exploit occurs before the OS and is not stored in the storage drive, it's not possible for conventional anti-malware tools to detect or remove it.

When Binarly reported the exploit, it made the following observations:

  • Insyde-based firmware usually but not always contains parsers for BMP, GIF, JPEG, PCX, PNG, and TGA. Those are stored in separate modules called, e.g., BmpDecoderDxe

  • AMI-based firmware contains image parsers in a DXE module called AMITSE. Every firmware we analyzed contained between a single BMP parser (e.g., Dell firmware) to a set of parsers for BMP, PNG, JPEG, and GIF (e.g., Lenovo).

  • Phoenix-based firmware stores its parsers in a module called SystemImageDecoderDxe, and it can usually parse BMP, GIF, and JPEG.

The US-based National Institute of Standards and Technology also published information on LogoFAIL in its National Vulnerable Database, filed under CVE-2023-40238. 

Once LogoFAIL infects the BIOS's customizable images, it takes advantage of the security flaw during the DXE (Driver Execution Environment) phase. This allows it to bypass the CPU and OS security protocols and checks and install a bootkit without being detected. This affected both motherboards made by component makers and OEM motherboards; the demo used an 11th-generation CPU-based Lenovo ThinkCentre M720s.

The State of New BIOS Rollouts

Lenovo has not yet released the latest UEFI that includes the LogoFAIL patch. Some OEMs, such as Dell, do not allow UEFI logos to be changed (the images are protected by Image Boot Guard). Mac systems, even older units with Intel CPUs, have logo images hard-coded into the UEFI and are therefore protected from the LogoFAIL exploit.

Subsequently, motherboard vendors need to proactively release BIOS updates once the respective IBVs include the latest patch. The 'b' variant addresses the LogoFAIL exploit, but the new AGESA version 1.2.0.c also addresses the Zenbleed vulnerability (discovered July 2023). Therefore, Gigabyte will need to roll out another BIOS update with the latest firmware for its AM4 platform as well as BIOS updates for its x670 motherboards.