{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/811862#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nImplementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings. \r\n\r\n### Description\r\n\r\nUEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) partition known as EFI system partition (ESP). ESP is a special privileged file system that is independent of the OS and essentially acts as the storage place for the UEFI boot loaders, applications, hardware drivers and customizable settings to be launched by the UEFI firmware. The ESP partition is mandatory for UEFI boot and is protected from unprivileged access. The information stored in ESP is probed and processed during [ the early phases of an UEFI based OS](https://insights.sei.cmu.edu/media/images/figure3_08012022.max-1280x720.format-webp.webp). One such information stored in the ESP is a personalizable boot logo. \r\n\r\nBinarly has discovered a number of vulnerabilities in the image parsing libraries that read and process these image files. As these files are processed by executables that run under a high privilege, it is possible to exploit these vulnerabilities in order to access and modify high-privileged UEFI settings of a device. UEFI supply-chain allows for many of these shared libraries to be integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked executable. Binarly has also observed that in some cases an attacker can create a bundled firmware update that contains a corrupt or malicious image to trigger these vulnerabilities. This can also allow an attacker to exploit vulnerability while flashing the PCI with a firmware update. Due to the complex nature of these vulnerabilities and their potential wide impact, Binarly would like to use the label `LogoFAIL` to track and support coordination and mitigation of these vulnerabilities. \r\n\r\nNote: Major Independent BIOS Vendors (IBV) have obtained CVE to track this set of vulnerabilities for their supply-chain partners and their customers.\r\n\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\r\n\t
Binarly AdvisoryCVE'sPrimary Vendor
BRLY-2023-018[CVE-2023-39539](https://www.cve.org/CVERecord?id=CVE-2023-39539) AMI
BRLY-2023-006 (1) [CVE-2023-40238](https://www.cve.org/CVERecord?id=CVE-2023-40238) Insyde
BRLY-2023-006 (2) [CVE-2023-5058](https://www.cve.org/CVERecord?id=CVE-2023-5058) Phoenix
\r\nPlease check the [Vendor Information](#vendor-information) section for additional details provided by other vendors to address these issues. \r\n\r\n\r\n### Impact\r\n\r\nThe impacts of these vulnerabilities vary widely due to the nature of the UEFI software and various implementations through the supply-chain. \r\n\r\nIn summary, a local attacker with administrative privileges to the ESP partition or to the firmware flash can use malicious images to perform any of the following:\r\n\r\n* Disable UEFI security features (SecureBoot)\r\n* Modify the UEFI Boot Order or the designated Boot Partition\r\n* Execute unwanted software to infect protected Operating System\r\n\r\nIn some cases, attacker can use the vendor provided logo customization interface to upload these malicious images.\r\n\r\n### Solution\r\n\r\n**Apply Updates**\r\n\r\nMultiple vendors from the supply-chain have provided their solution to these vulnerabilities and have provided software updates to address them. Please verify your vendor provided statement and their solution below with any reference or additional information to address this issue.\r\n\r\n\r\n### Acknowledgements\r\n\r\nThanks to Binarly for reporting these vulnerabilities. We would also like to thank multiple vendors from the UEFI supply-chain cooperated to address these issues\r\n\r\nThis document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Changed status from \"not affected\" to \"affected\" after researcher provided another image that engineering teams were able to successfully reproduce the issue with.","title":"Vendor statment from American Megatrends Incorporated (AMI)"},{"category":"other","text":"Certain OEM products whose firmware uses a customized version of Insyde's InsydeH2O are affected by this vulnerability. The issue was discovered by Binarly and was assigned the CVE CVE-2023-40238.","title":"Vendor statment from Insyde Software Corporation"},{"category":"other","text":"Fujitsu is aware of the vulnerabilities in AMI and Insyde firmware (AMI Aptio V, Insyde InsydeH2O UEFI-BIOS) known as \"LogoFAIL\".\r\n\r\nThe affection state of Fujitsu CCD (Client Computing Device) is still under investigation. Several updates for Fujitsu SERVER devices were made available. \r\n\r\nThe Fujitsu PSIRT (Europe) released FJ-ISS-2023-112100 on https://security.ts.fujitsu.com (Security Notices) accordingly; see https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2023-112100-Security-Notice.pdf\r\n\r\nIn case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Europe) (Fujitsu-PSIRT@ts.fujitsu.com).","title":"Vendor statment from Fujitsu Europe"},{"category":"other","text":"At this time, we believe that our base product is not affected. We have made several attempts to reproduce it in our base product and been unable to.\r\n\r\nThat said, customers of ours may have added custom features to our product that introduce this vulnerability. We are working with our customers to assist them to develop fixes that will mitigate this vulnerability.\r\n\r\n**Update** While we have not been able to reproduce this in our base product, we continue to see client's shipping products that are affected. We have found that extensions Phoenix assisted our clients with are affected. We have provided updates to our customers and they are producing firmware updates. CVE-2023-5058","title":"Vendor statment from Phoenix Technologies"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/811862"},{"url":"https://uefi.org/specs/UEFI/2.10/33_Human_Interface_Infrastructure.html","summary":"https://uefi.org/specs/UEFI/2.10/33_Human_Interface_Infrastructure.html"},{"url":"https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html","summary":"https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html"},{"url":"http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf#page=536","summary":"http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf#page=536"},{"url":"https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi?view=windows-11","summary":"https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi?view=windows-11"},{"url":"https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html","summary":"https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html"},{"url":"https://www.insyde.com/security-pledge/SA-2023053","summary":"https://www.insyde.com/security-pledge/SA-2023053"},{"url":"https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023009.pdf","summary":"https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023009.pdf"},{"url":"https://www.phoenix.com/security-notifications/cve-2023-5058/","summary":"https://www.phoenix.com/security-notifications/cve-2023-5058/"},{"url":"https://www.insyde.com/security-pledge/SA-2023053","summary":"Reference(s) from vendor \"Insyde Software Corporation\""},{"url":"https://phoenixtech.com/security-notifications/cve-2023-5058/","summary":"Reference(s) from vendor \"Phoenix Technologies\""}],"title":"Image files in UEFI can be abused to modify boot behavior","tracking":{"current_release_date":"2025-09-23T19:01:48+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#811862","initial_release_date":"2023-12-06 18:59:52.565171+00:00","revision_history":[{"date":"2025-09-23T19:01:48+00:00","number":"1.20250923190148.7","summary":"Released on 2025-09-23T19:01:48+00:00"}],"status":"final","version":"1.20250923190148.7"}},"vulnerabilities":[{"title":"Phoenix Technologies products affected by BRLY-2023-006.","notes":[{"category":"summary","text":"Phoenix Technologies products affected by BRLY-2023-006"}],"cve":"CVE-2023-5058","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#811862"}],"product_status":{"known_affected":["CSAFPID-8d174d0e-34d8-11f1-8422-122e2785dc9f","CSAFPID-8d17c310-34d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-8d1783d2-34d8-11f1-8422-122e2785dc9f"]}},{"title":"Insyde products impacted by BRLY-2023-006.","notes":[{"category":"summary","text":"Insyde products impacted by BRLY-2023-006"}],"cve":"CVE-2023-40238","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#811862"}],"product_status":{"known_affected":["CSAFPID-8d187cc4-34d8-11f1-8422-122e2785dc9f","CSAFPID-8d1938b2-34d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-8d18af5a-34d8-11f1-8422-122e2785dc9f"]}},{"title":"Image parsing vulnerabilities in vulnerabilities in the image parsing libraries used to parse personalized boot logos can be exploited to modify boot behaviors, such as disabling SecureBoot, boot order and other sensitive boot functions.","notes":[{"category":"summary","text":"Image parsing vulnerabilities in vulnerabilities in the image parsing libraries used to parse personalized boot logos can be exploited to modify boot behaviors, such as disabling SecureBoot, boot order and other sensitive boot functions."}],"cve":"CVE-2023-39539","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#811862"}],"product_status":{"known_affected":["CSAFPID-8d1a9f0e-34d8-11f1-8422-122e2785dc9f","CSAFPID-8d1addfc-34d8-11f1-8422-122e2785dc9f","CSAFPID-8d1b59e4-34d8-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-8d19c962-34d8-11f1-8422-122e2785dc9f","CSAFPID-8d1a01de-34d8-11f1-8422-122e2785dc9f","CSAFPID-8d1b1c5e-34d8-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-8d174d0e-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ARM Limited","product":{"name":"ARM Limited Products","product_id":"CSAFPID-8d1783d2-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-8d17c310-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-8d180c62-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-8d187cc4-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ARM Limited","product":{"name":"ARM Limited Products","product_id":"CSAFPID-8d18af5a-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-8d18e07e-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-8d1938b2-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ARM Limited","product":{"name":"ARM Limited Products","product_id":"CSAFPID-8d19c962-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Toshiba Corporation","product":{"name":"Toshiba Corporation Products","product_id":"CSAFPID-8d1a01de-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-8d1a3334-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-8d1a69e4-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fujitsu Europe","product":{"name":"Fujitsu Europe Products","product_id":"CSAFPID-8d1a9f0e-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"American Megatrends Incorporated (AMI)","product":{"name":"American Megatrends Incorporated (AMI) Products","product_id":"CSAFPID-8d1addfc-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-8d1b1c5e-34d8-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-8d1b59e4-34d8-11f1-8422-122e2785dc9f"}}]}}