High-Risk Overflow Bug in Intel Chips Likely Impacts 100s of PC Models

A vast swath of computers is likely to be affected by a newly published vulnerability in Intel processors.

CVE-2024-0762, unfortunately nicknamed "UEFIcanhazbufferoverflow," is a buffer overflow issue affecting multiple versions of Phoenix Technologies' SecureCore Unified Extensible Firmware Interface (UEFI) firmware. First disclosed by the vendor in May, it has now been described in detail by Eclypsium researchers in a blog post.

They first spotted it back in November, while analyzing UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. The problem lies in an unsafe call to the GetVariable() runtime service, used for reading the contents of a UEFI variable. A lack of adequate checks could allow an attacker to feed it too much data, thereby causing an overflow. From there, the attacker could take advantage by escalating privileges and executing code in a targeted machine during runtime.

Even worse than the severity of the bug, though, is its spread. Intel supplies the majority of PC processors sold around the world, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates it could affect hundreds of PC models across a wide spectrum of vendors.

The Rub With UEFI

There are few areas of a machine where malicious attacks are so effective, and so difficult to excise, as UEFI and its predecessor, BIOS. As the firmware interface that controls how a system boots, it is the first and most privileged code that runs once a user hits the power button on their device.

Its special status has attracted attackers far and wide in recent years, allowing them to nab root-level privileges, establish persistence through reboots, bypass security programs that might otherwise catch more traditional malware, and more.

"It's not not really the greatest place to hack into, but it is a really good place to set up shop," explains Nate Warfield, director of threat research and intelligence with Eclypsium.

"If you have code execution during that stage of a computer booting, you can drop something into the boot sector. Or you can use this vector to inject malware into Windows before it starts." He points to the recent CosmicStrand UEFI rootkit as a case in point. It's also what makes UEFIcanhazbufferoverflow so dangerous.

Still, it was only assigned a "high" 7.5 out of 10 in the CVSS scoring system. That, Warfield says, comes down to a couple of factors.

First, it requires that an attacker already have access to their targeted machine. 

Additionally, unlike your typical headline vulnerability, exploits in this case may need to be customized to a certain degree depending on the targeted computer model's configuration, and the permissions assigned to the problematic variable, adding a certain degree of complexity to the whole affair.

The Good News and (More) Bad

Unfortunately, this same complexity extends to vendors developing patches.

"The vulnerability we found affected a whole bunch of different versions of [Phoenix's] UEFI code. So they had to patch all of those for their customers, and now everyone has to go and pull those and package them up for all the versions of their BIOS," Warfield explains. "They may end up having to fix 10, 15, or 20 different tiny differences [in architecture] because this one supports this many GPUs, this one supports different hardware configurations for the motherboard. It's impossible to know."

Lenovo — which coordinated with the researchers in recent months — started releasing fixes last month, though some computers will remain exposed until later in the summer. Other, more recently informed original equipment and design manufacturers will surely take even longer. Organizations using Intel-powered computers can do little more than twiddle their thumbs in the meantime.

"This is the whole supply chain problem in a nutshell," Warfield says. "We informed the vendor. We have to wait for them to tell their customers' OEMs, who have to package their fixes and deliver it to their customers, who are the end users."