Using its automated binary analysis system Eclypsium Automata,Eclypsiumhas uncovered the existence of high-impactsecurityvulnerabilities in Phoenix SecureCore UEFI firmware used by a wide variety of motherboard providers and Intel CPUs spanning from 14th Gen to 6th Gen—all the “Lakes” in other words. This vulnerability also extends to several other UEFI BIOS vendors, includingLenovo, Intel, Insyde, and AMI. Phoenix is the latest to join the list.
The specific Phoenix SecureCore UEFI firmware vulnerability that prompted this posting is referred to as “UEFIcanhazbufferoverflow” by Eclypsium, which is just a funny way of pointing out that this is a buffer overflow exploit. The specific method in which the “UEFIcanhazbufferoverflow” exploit works is by using an unsafe call to the “GetVariable” UEFI service.
By making unsafe calls, a stack buffer overflow can be created, allowing for arbitrary code to be executed. In the BIOS or its modern counterpart, the UEFI, even a buffer overflow allows for full-system access and control to be gained very quickly, and the consequences of that happening can be challenging to remove from a PC permanently. Sometimes, it may even be impossible without replacing the machine entirely— and that’s not counting passwords and such that may become compromised and still need changing between machines.
Any potentially impacted Intel user should update their BIOS to protect from this issue as soon as possible, though not before creating backups of important files and the original BIOS just in case something goes wrong. Since exploits impacting UEFI are as close to Layer 0 as they get with PC hardware, it’s essential for all parties involved to act as quickly and safely as possible.
As noted by Eclypsium, this Phoenix vulnerability was discovered in a hands-off manner by its Automata security system, which is an automated binary analysis system using the research data of Eclypsium’s own researchers. While there are certainly issues with things likeAI-written codeand AI “generated” art, it’s always nice to see cutting-edge AI and machine learning tech put toward something useful for humanity.
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.
