LogoFAIL exploits vulnerabilities present before the operating system boots and outside the storage drive's contents, rendering conventional anti-malware tools ineffective. The exploit targets the BIOS's customizable images during the DXE phase, bypassing CPU and OS security measures to install a bootkit undetected.
The flaw's cross-platform nature stems from its presence in firmware from various BIOS vendors, each incorporating different image parsers in their firmware. For example, Insyde firmware often includes parsers for multiple image formats in modules like BmpDecoderDxe, while AMI firmware integrates these parsers in the AMITSE DXE module. Phoenix firmware typically houses its parsers in the SystemImageDecoderDxe module, capable of processing formats such as BMP, GIF, and JPEG.
The National Institute of Standards and Technology (NIST) in the United States has documented the LogoFAIL vulnerability in its National Vulnerable Database under CVE-2023-40238. This widespread issue affects not only motherboards from component manufacturers but also OEM motherboards, as demonstrated with a Lenovo ThinkCentre M720s powered by an 11th-generation Intel CPU.
Source: tomshardware