Advisories

[BRLY-2024-005] Usage of default test keys leads to complete Secure Boot bypass

The Binarly REsearch Team has found that hundreds of devices use an insecure Platform Key (PK) which represents the root of trust for UEFI Secure Boot.

SMM memory corruption vulnerability in SMM driver (SMRAM write)

Binarly REsearch Team has discovered a stack buffer overflow vulnerability that allows an attacker to execute arbitrary code.

[BRLY-LOGOFAIL-2023-017] Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access

Acer firmware allows end-users to customize the logo shown on the display of a device during boot. Binarly REsearch Team has uncovered multiple critical vulnerabilities in the libraries used to parse image data formats and thus logos.

[BRLY-LOGOFAIL-2023-004] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a multiple OOB Read/Write vulnerabilities in Insyde firmware related to lack of validation in the LZW decoder routine in the GifDecoderDxe module.

[BRLY-LOGOFAIL-2023-002] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered an OOB Write vulnerability in the RLE8 decode routine during BMP file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-003] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered an OOB Write vulnerability in the RLE4 decode routine during BMP file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-005] Out-of-bounds Read in DXE driver

Binarly REsearch Team has discovered a OOB Read vulnerability in Insyde firmware resulting from weak index checking during GIF file processing.

[BRLY-LOGOFAIL-2023-007] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a OOB Write vulnerability in Insyde firmware. Unchecked ImageSize (which depends on ImageWidth and ImageHeight) results in allocation of a zero-sized buffer and subsequent writing to it during GIF file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-001] Memory contents leak / information disclosure vulnerability in DXE driver

Binarly REsearch Team has discovered a memory contents leak / information disclosure vulnerability. BmpHeader->ImageOffset is not validated during parsing of arbitrary BMP file on Insyde firmware. The attacker can make it as high as 0xFFFFFFFF and thus display the contents of physical memory (in the form of pixels).

[BRLY-LOGOFAIL-2023-006] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a multiple OOB Read/Write vulnerabilities in Insyde firmware related to lack of Code validation in the LZW decoder routine in the GifDecoderDxe module.

[BRLY-LOGOFAIL-2023-008] Null Pointer Dereference in DXE driver

Binarly REsearch Team has discovered a DXE Null Pointer Dereference in Insyde firmware. Usage of uninitialised SOSPtr pointer leads to null pointer dereference (in case when JPEG_SOS is not covered during the parsing) during JPEG file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-010] Null Pointer Dereference in DXE driver

Binarly REsearch Team has discovered a Null Pointer Dereference vulnerability in DXE driver. Unchecked DqtCount leads to null pointer dereference during JPEG file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-009] Out-of-bounds Read in DXE driver

Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper loop exit condition will lead to OOB Read from ImagePtr during JPEG file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-011] Memory contents leak / information disclosure vulnerability in DXE driver

Binarly REsearch Team has discovered multiple memory leaks / information disclosure vulnerabilities in the DXE driver due to improper input validation during PCX file processing in Insyde firmware.

[BRLY-LOGOFAIL-2023-012] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a multiple OOB Read/Write vulnerabilities in Insyde firmware due to improper input validation during TGA file processing.

[BRLY-LOGOFAIL-2023-013] Memory contents leak / information disclosure vulnerability in DXE driver

Binarly REsearch Team has discovered a memory contents leak / information disclosure vulnerability. Image->ImageOffset is not validated during parsing of arbitrary BMP file on AMI firmware. The attacker can make it as high as 0xFFFFFFFF and thus display the contents of physical memory (in the form of pixels).

[BRLY-LOGOFAIL-2023-015] Out-of-bounds Read in DXE driver

Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.

[BRLY-LOGOFAIL-2023-014] Out-of-bounds Read in DXE driver

Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.

[BRLY-LOGOFAIL-2023-016] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered an integer overflow on memory allocation size that leads to OOB Write operations during PNG file processing in AMI firmware.

[BRLY-LOGOFAIL-2023-023] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a lack of validation on output buffer leads to OOB Write operations during GIF file processing in AMI firmware.

[BRLY-LOGOFAIL-2023-020] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a lack of array index validation leading to OOB Write operations on global data during JPEG file processing in AMI firmware.

[BRLY-LOGOFAIL-2023-019] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered an integer overflow on memory allocation size that leads to OOB Write operations during PNG file processing in AMI firmware.

[BRLY-LOGOFAIL-2023-018] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered an integer overflow on memory allocation size that leads to OOB Write operations during PNG file processing in AMI firmware.

[BRLY-LOGOFAIL-2023-022] Memory Corruption vulnerability in DXE driver

Binarly REsearch Team has discovered a lack of validation on number of Huffamn tables that leads to OOB Write operations during JPEG file processing in AMI firmware.

[BRLY-LOGOFAIL-2023-025] Memory contents leak / information disclosure vulnerability in DXE driver

Binarly REsearch Team has discovered a memory contents leak / information disclosure vulnerability. Lack of synchronization between PaletteSize calculated from BitsPerPixel in BMP Image Header and PaletteIndex calculated from data in BMP Image allows OOB Read.