Unless you are directly involved, the method or process by which UEFI vulnerabilities are identified, communicated and resolved is probably very opaque. In this blog, we will provide some color on how that process works from the point of view of an independent firmware vendor (IFV): Phoenix Technologies. To illustrate the process, we will use LogoFAIL as an example.
As with most vulnerabilities that affect the majority of vendors, LogoFAIL was discovered by security researchers and in this case specifically researchers at Binarly, a cybersecurity company specializing in firmware security and threat intelligence. Security researchers can be independent or part of different entities such as a company, academia or government. Once Binarly identified the LogoFAIL vulnerability in July 2023, they disclosed it to a select group of partners that had a “need to know”, including Phoenix Technologies amongst 20 or so others. Generally, security researchers are very cautious with whom they share the information for fear that a bad actor might learn of the vulnerability and try to exploit it. As a result, there is a well-defined program for coordinated vulnerability disclosure (CVD) offered by CISA that researchers are urged to follow. To implement this coordination, the US government sponsors an organization called CERT/CC (Computer Emergency Response Team/Coordination Center) that facilitates sharing amongst the various entities that need to know in order to solve the problem.
“Only one IBV (Independent BIOS Vendor) had properly fixed the issue at the date of the disclosure, and it was Phoenix Technologies”
Phoenix Technologies received an alert about LogoFAIL in July 2023 via a CERT/CC run portal called VINCE (Vulnerability Information and Coordination Environment). Upon receiving this alert, Phoenix realized almost immediately that this discovery had potentially severe implications for the UEFI firmware that Phoenix has deployed all around the world on devices such as Lenovo laptops. Further, the Phoenix team knew they only had five months to resolve the issue because Binarly was planning to publicly disclose LogoFAIL in December 2023 via an industry standard vulnerability note (VU #811862). For Phoenix it wasn’t just a matter of fixing the vulnerability, they also had to provide updated UEFI firmware to all their customers who in turn needed time to push out the firmware update to all their end user devices. Despite the complexity of these coordinated efforts, at public disclosure time in December 2023, only Phoenix had properly fixed the issue as acknowledged by Binary in this article.
