Header bannerHeader banner
Advisory ID:
BRLY-2023-006

[BRLY-2023-006] Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access.

January 23, 2024
Severity:
High
CVSS Score
8.2
Public Disclosure Date:
January 22, 2024

Summary

BINARLY REsearch team has uncovered multiple critical vulnerabilities in the image parsing libraries used to parse customized boot logos.
Vendors Affected Icon

Vendors Affected

Lenovo
AMI
Insyde
Phoenix
Affected Products icon

Affected Products

Multiple

Potential Impact

An attacker can exploit LogoFAIL by storing a maliciously crafted logo image on the ESP of the victim device (e.g., under \EFI\lenovo\logo\mylogo_2240x1200.bmp) and restart the system under attack. During the boot process the system firmware will parse the attacker-supplied logo, thus an attacker can exploit any vulnerability in the image parser and take control of the execution flow. LogoFAIL can be exploited by attackers with write access to the ESP of the victim device, and can be used to bypass SecureBoot and infect any operating system.

Summary

Lenovo firmware allows end-users to customize the logo displayed by a device during boot.BINARLY REsearch team has uncovered multiple critical vulnerabilities in the image parsing libraries used to parse customized boot logos.This vulnerability poses a high-severity risk as it introduces an unexplored attack surface that can be exploited by malicious actors with only write permissions over the EFI System Partition (ESP) of a device.Our analysis over a dataset of Lenovo firmware identified hundreds of Lenovo products affected by this issue, including devices running firmware developed by Insyde Software, American Megatrends International and Phoenix Technologies.Given the systemic industry-wise scope of this vulnerability we will refer to it as LogoFAIL.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2023-006
  • Insyde PSIRT assigned CVE identifier: CVE-2023-40238
  • Phoenix PSIRT assigned CVE identifier: CVE-2023-5058
  • AMI PSIRT assigned CVE identifier: CVE-2023-39538
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Lenovo firmware with confirmed impact by Binarly REsearch Team

IBV Device/Firmware SHA256
Insyde J1CN38WW 43aa868a91a522fc356d7bb37f9209cc52c393bc4e93974e8eda5b66b1bcf70a
Phoenix GZCN32WW 14dcb831104f5f66ea038eda1e7e2b1c5bf14049e9cbf1f50cc9f75befd2888e
AMI M47KT28A a30324477402cc892c0d01cdac54d58e9ca74e83a21687d2225bdc6f9b02e91a

Vulnerability Summary

An attacker can exploit LogoFAIL by storing a maliciously crafted logo image on the ESP of the victim device (e.g., under \EFI\lenovo\logo\mylogo_2240x1200.bmp) and restart the system under attack.During the boot process the system firmware will parse the attacker-supplied logo, thus an attacker can exploit any vulnerability in the image parser and take control of the execution flow.LogoFAIL can be exploited by attackers with write access to the ESP of the victim device, and can be used to bypass SecureBoot and infect any operating system.

In the following sections, we explore the functions and protocols used to retrieve a logo image from the ESP.Then, we explore how image parsing libraries and their respective protocols are installed and used during the boot process.

Vulnerability description (Insyde firmware)

How logos are read from the ESP

In Insyde-based firmware the interactions with the ESP happen in a custom protocol (4b11ff5b-590c-4bfe-96a5-04bc5cca5c11) installed by the OemBadgingSupportDxe driver.More precisely, the function at address 0x44F4 initializes the variable ImagePath by concatenating the string  EFI\lenovo\logo\ and the content of the NVRAM variable LBLDESPFN.The function ReadsLogo is then called, which, as the name suggests, reads the logo stored at ImagePath and stores the image content and the image size into v21 and v22, respectively.Next, as a form of integrity checking, the ChecksCRC32 function compares the CRC32 of the image logo with the content of the LBLDVC variable.When the CRC32 comparison succeeds, the LogoData and LogoDataSize parameters are finally set to v21 and v22.

EFI_STATUS __fastcall sub_44F4(__int64 a1, char **LogoData, _QWORD *LogoDataSize)
{
...
  v11 = gRT->GetVariable("LBLDESPFN", &VendorGuid, 0i64, &DataSize, Data);
  v14 = "EFI\\lenovo\\logo\\"
  ImagePathSize = 2 * (strlen(v14) + strlen(Data+4)) + 4;
  ImagePath = Alloc(ImagePathSize);

  if ( ImagePath )
  {
    snprintf(ImagePath, v16, "%s%s", "EFI\\lenovo\\logo\\", Data + 4);
    ReadsLogo(ImagePath, &v21, &v22); // sub_419C
    v20 = ChecksCRC32(v21); // sub_43E8
    if ( v20 >= 0 )
    {
      *LogoDataSize = v22;
      *LogoData = v21;
      *(a1 + 16) = *Data; // Setting the logo format (0=BMP, 1=JPEG..)
    }
    return v20;
  }

(Vulnerable) Image Parsing Protocols

During our analysis of a Lenovo Yoga's firmware image, we observed the presence of the following image parsers:

File Name File GUID Parsing Protocol GUID
BmpDecoderDxe A9F634A5-29F1-4456-A9D5-6E24B88BDB65 A6396A81-8031-4FD7-BD14-2E6BFBEC83C2
GifDecoderDxe 1353DE63-B74A-4BEF-80FD-2C5CFA83040B D3E104CB-D03E-44B3-85CF-13067484CB11
JpegDecoderDxe 2707E46D-DBD7-41C2-9C04-C9FDB8BAD86C A9396A81-6231-4DD7-BD9B-2E6BF7EC73C2
PcxDecoderDxe A8F634A5-28F1-4456-A9D5-7E24B99BDB65 5CBA0791-E45B-4B3B-BEDB-03FD2CDB5331
PngDecoderDxe C1D5258B-F61A-4C02-9293-A005BEB3EAA1 DB585F02-1DD1-41E2-A7E5-D47B7908CF7C
TgaDecoderDxe ADCCA887-5330-414A-81A1-5B578146A397 D7B3A214-29B0-499E-A7DD-7353B16620BB

Upon analyzing them, we discovered that these drivers exhibit a common structure: the driver entry point function registers the corresponding image parsing protocol using InstallProtocolInterface and the protocol interface comprises of a single function (an exception is the Gif Decoder protocol that exports four functions) responsible for implementing the actual parser for a specific image type.The prototype of the parsing function is the following:

EFI_STATUS sub_1A689C(
  unsigned int *LogoImage, unsigned __int64 LogoImageSize,
  char* DecodedLogoImage, unsigned int *DecodedLogoImageSize,
  int *LogoWidth, int *LogoHeight
  )

Combining Reading and Parsing

We then set out to find a function where an image read from the ESP is passed to any image parsers: after some reversing, we found such function (sub_1C27EC) in the BdsDxe driver. Finally, we confirmed our findings empirically: saving an image under EFI\lenovo\logo\mylogo_2240x1400.bmp and setting the NVRAM variables LBLDESP and LBLDVC accordingly was enough to make our custom logo shown during boot.

In the upcoming section "Finding Crashes in Image Parsers" we will discuss how we found crashes in the aforementioned image parsers. In particular, we identified an out-of-bounds bug in the BMP parser that allows an attacker to write any memory address in the 4GB region below a specific heap address with arbitrary values.After installing this maliciously-crafted BMP image, we confirmed that the device bricks during the boot process, as the image parser write to an unmapped memory address.To "unbrick" the device, we found two possible solutions:1) Extract the SSD, connect it to another device, mount the ESP partition and remove the logo image2) Reflash the SPI to rewrite LBLDESP variable (this will effectively remove support from custom logo, since the "MaybeLogoSupport" of LBLDESP_STRUCT will be set to 0)

Please note that we followed the official Lenovo recommendation of "hold the power button for at least 10 second", but this didn't work for us and the device remained unable to boot.

Vulnerability description (Phoenix firmware)

For Phoenix firmware, sub_ABD33C of SystemAcpiBgrtDxe calculates the six different combinations of ("EFI\Lenovo\logo\mylogo", "EFI\Lenovo\logo\mylogo_WxH") and (".jpg", ".bmp", ".gif") and check if the resulting file exists on the ESP. When an existing file is found, the function checks whether the CRC32 of the first 512 bytes of the logo matches the content of the variable LBLDVC. If the check is successful, the logo image is passed to the image parsing protocol installed by the SystemImageDecoderDxe module.

File Name File GUID Parsing Protocol GUID
SystemImageDecoderDxe 5F65D21A-8867-45D3-A41A-526F9FE2C598 D2221EBF-A7C4-4E87-A89E-BCE6E2485A50

The internals of this parsing protocol are quite simple: after finding the logo image type by matching various magic numbers, it invokes the correct parser.This image parsing module supports the following image types: JPEG, GIF89, GIF87 and BMP.

Vulnerability description (AMI firmware)

For AMI firmware, both reading and parsing the logo happen inside the AMITSE driver.In particular, function sub_3A96C creates a filename by concatenating the content of the variable LnvOemLogoData and the string "User.gif", and stores the content of the resulting file in a global variable (sub_3A1B8). If this file does not exists, sub_3A96C will try a similar approach with string "User.bmp".

File Name File GUID Parsing Function
AMITSE B1DA0ADF-4F77-4070-A88E-BFFE1C60529A sub_D5C4

The execution will then continue until the image parsing library located at sub_D5C4 is called. This function support parsing the logo as a BMP, PNG, GIF or JPEG image.

Finding Crashes in Image Parsers

To evaluate the robustness of the image parsers mentioned in this advisory, we tested each of them with fuzz testing techniques.This resulted in the discovery of multiple crashes in all tested parsers, except for the PNG parser contained in the Insyde-based firmware.These crashes cover a wide range of issues, from less severe out-of-bounds reads to more critical out-of-bounds arbitrary writes where the attacker controls both the target memory address and the written content.In the next sections we summarize the crashes we found during this security evaluation.

Insyde

Rule ID CVE Module Name Rule Description
BRLY-LOGOFAIL-2023-001 CVE-2023-40238 BmpDecoderDxe Lack of BmpHeader->ImageOffset validation will lead to OOB Read during BMP file processing in Insyde firmware
BRLY-LOGOFAIL-2023-002 CVE-2023-40238 BmpDecoderDxe OOB Write in RLE8 decode routine during BMP file processing in Insyde firmware
BRLY-LOGOFAIL-2023-003 CVE-2023-40238 BmpDecoderDxe OOB Write in RLE4 decode routine during BMP file processing in Insyde firmware
BRLY-LOGOFAIL-2023-004 CVE-2023-40238 BmpDecoderDxe Lack of ClearCode validation in LZW decoder leads to multiple OOB Read/Write operations during GIF file processing in Insyde firmware
BRLY-LOGOFAIL-2023-005 CVE-2023-40238 GifDecoderDxe Weak index checking leads to CompressedData OOB Read during GIF file processing in Insyde firmware
BRLY-LOGOFAIL-2023-006 CVE-2023-40238 GifDecoderDxe Lack of Code validation in LZW decoder leads to multiple OOB Read/Write operations during GIF file processing in Insyde firmware
BRLY-LOGOFAIL-2023-007 CVE-2023-40238 GifDecoderDxe Unchecked ImageSize (which depends on ImageWidth and ImageHeight) results in allocation of a zero-sized buffer and subsequent writing to it during GIF file processing in Insyde firmware
BRLY-LOGOFAIL-2023-008 CVE-2023-40238 JpegDecoderDxe Usage of uninitialised JfifData.SosPtr pointer leads to null pointer dereference (in case when JPEG_SOS is not covered during the parsing) during JPEG file processing in Insyde firmware
BRLY-LOGOFAIL-2023-009 CVE-2023-40238 JpegDecoderDxe Improper loop exit condition will lead to OOB Read from ImagePtr during JPEG file processing in Insyde firmware
BRLY-LOGOFAIL-2023-010 CVE-2023-40238 JpegDecoderDxe Unchecked DqtCount leads to null pointer dereference during JPEG file processing in Insyde firmware
BRLY-LOGOFAIL-2023-011 CVE-2023-40238 PcxDecoderDxe Improper input validation leads to OOB Read vulnerabilities during PCX file processing in Insyde firmware
BRLY-LOGOFAIL-2023-012 CVE-2023-40238 TgaDecoderDxe Improper input validation leads to OOB Read/Write vulnerabilities during TGA file processing in Insyde firmware

Phoenix

Rule ID CVE Module Name Rule Description
BRLY-LOGOFAIL-2023-025 CVE-2023-5058 SystemImageDecoderDxe Lack of synchronization between PaletteSize calculated from BitsPerPixel in BMP Image Header and PaletteIndex calculated from data in BMP Image allows OOB Read in Phoenix firmware
BRLY-LOGOFAIL-2023-026 CVE-2023-5058 SystemImageDecoderDxe Lack of synchronization between ImageSize in BMP Image Header and ImageIndex allows OOB Read in Phoenix firmware
BRLY-LOGOFAIL-2023-027 CVE-2023-5058 SystemImageDecoderDxe Lack of synchronization between PaletteSize calculated from BitsPerPixel in BMP Image Header and PaletteIndex calculated from data in BMP Image allows OOB Read in Phoenix firmware
BRLY-LOGOFAIL-2023-028 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on array index leads to OOB Write operations on global data during GIF file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-029 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on array index leads to OOB Write operations on global data during GIF file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-030 CVE-2023-5058 SystemImageDecoderDxe Improper input validation leads to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-031 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-032 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-033 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-034 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-035 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-036 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on output buffer leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-037 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on output buffer leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-038 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-039 CVE-2023-5058 SystemImageDecoderDxe Improper input validation leads to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-040 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-041 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-042 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-043 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-044 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-045 CVE-2023-5058 SystemImageDecoderDxe Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-046 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware
BRLY-LOGOFAIL-2023-047 CVE-2023-5058 SystemImageDecoderDxe Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware

AMI

Rule ID CVE Module Name Rule Description
BRLY-LOGOFAIL-2023-013 CVE-2023-39539 AMITSE Lack of BmpHeader->ImageOffset validation will lead to OOB Read during BMP file processing in AMI firmware
BRLY-LOGOFAIL-2023-014 CVE-2023-39539 AMITSE Lack of validation on chunk length will lead to OOB Read during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-015 CVE-2023-39539 AMITSE Lack of validation on chunk length will lead to OOB Read during PNG file processing in AMI firmware
BRLY-LOGOFAIL-2023-020 CVE-2023-39539 AMITSE Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in AMI firmware
BRLY-LOGOFAIL-2023-022 CVE-2023-39539 AMITSE Lack of validation on number of Huffamn tables leads to OOB Write operations during JPEG file processing in AMI firmware
BRLY-LOGOFAIL-2023-023 CVE-2023-39539 AMITSE Lack of validation on output buffer leads to OOB Write operations during GIF file processing in AMI firmware
BRLY-LOGOFAIL-2023-024 CVE-2023-39539 AMITSE Lack of validation on array index leads to OOB Write operations on global data during GIF file processing in AMI firmware

Preliminarly list of affected Lenovo devices

Finally, to evaluate the impact of out findings, we explored an internal dataset of Lenovo firmware. The firmware images contained in the following table matched any of the following rules:- PHOENIX: the module with GUID b8e63775-bb0a-43f0-a843-5be8b14f8ccd uses LBLDVC but not LBLDESPFN- INSYDE: the module with GUID 12aedbea-392d-4e2a-8789-5f6dc6b23661 uses LBLDESPFN, LBLDVC and LBLDESP- AMI: the firmware image contains the strings LnvOemLogoData and User.gif

Firmware SHA256 Firmware Name IBV
1d76bdf63f9ec2472272ec1526dfdcd11397b623bb59b70b04eecc11c8f3a28a lenovo-13w-yoga-gen-2-type-82yr- PHOENIX
db938973b534c6b523668e4e95cd2b229023f31d05b33a7e9c07f4da08f34d5f lenovo-13w-yoga-type-82s1-82s2 PHOENIX
b2b28688ba1e45e6f8a377817a7782ff0f7fece06128a03d2adc37dc5561443e lenovo-500w-yoga-gen-4 PHOENIX
155d55ddea4dc39c34476402b70895169c4f4fbfde25b75753e88078c14bce0b yoga-slim-7-pro-14arh5 PHOENIX
14dcb831104f5f66ea038eda1e7e2b1c5bf14049e9cbf1f50cc9f75befd2888e yoga-slim-7-pro-14ach5 PHOENIX
eb233270f36bfc7429fb8c495180c29e0e2bc21c01dd203e1e51109fc7d5b893 thinkbook-16p-g2-ach PHOENIX
bb05ec781992cb1baff62c282cb346c55bcb49bd5269a90621231567d0b1b3e7 thinkbook-13x-g2-iap PHOENIX
99c60719da65fb86566f5d0cf88ed898a31c513b1fdb9732f7414a9ad1ca7c7b thinkbook-13s-g4-iap PHOENIX
932bee60fcd1b5b9a719dc004be3da29417dfed0935873372b2899615e1c5546 thinkbook-13s-g3-acn PHOENIX
8e68e4dad67aeb254b5006548b7110fc6f39d292a883afdc8ed7dab48525052b thinkbook-13s-g4-arb PHOENIX
1f36d9938f792a52ed7590fe7e49b813546a53ee53eb52395e97590b7bf0b525 thinkbook-14p-g2-ach PHOENIX
01d5fa9a25ba26ae532a8118bce53f756281b939ba9a86538331b15b6ee5bb66 thinkbook-13s-g2-are PHOENIX
b6bd8bd02ac891a4a6c1f449e348cf0e1f430c9fc7fb330c31456d2552c8f881 ideapad-5-15alc05 PHOENIX
61b0de3e23983f01b033110e5453e4851ccbc3f0e263e92955a8ffb55c2b50a4 ideapad-5-15are05 PHOENIX
2e275c90505ea221dc0df2e3ea6db01d7935c021183b98ac7a830c17875f75fa ideapad-3-14are05 PHOENIX
cb66929df86585d6e149d7e2cbec8c3188c0cdbee6453e84a3e2fcda70622ecf legion-s7-15arh5 PHOENIX
b8bf19728d6c898f92f62d5d36d4c4fa7a3da6aaed31dce5163e6d0f5914dcc5 legion-s7-16iah7 PHOENIX
b800a09abe94bb25ab6b5c60ad5d57e7fd71fb3cec708b51937d3858559fc981 legion-s7-15imh5 PHOENIX
a1cede60005eb7d5f8dbe747b3419f50db0552008134ebeab24231cf48961283 ideapad-3-17ada6 PHOENIX
84529bfb730625f5280ccd327c7091cbcd7132115f0e90b37ce9181164427b84 legion-s7-15ach6 PHOENIX
52e66af20432cc8d7cda77787825451c7822068196235f2cd4a4f27dfeb55c7a ideapad-3-17aba7 PHOENIX
3f1ced4b0a868d561c479933c07c02b0f95c1e4cb25910c65560a233f4cc3a8a ideapad-5-15aba7 PHOENIX
86b0fd5a3ca5940638a28a794709b72811e15e8167c75e9f6466ea0446abc68b yoga-9-14itl5 PHOENIX
2cddcf501b94e7594ad203ebbbf58033fba66f384376faa3dd7c82bd64038192 s540-13are PHOENIX
2ccb9acdc52cfb510f5e516ccb8e7125f1e485523a0b70f86f80f7cc9d15c8f1 v14-g2-alc PHOENIX
05f62c25f83abf8c9d4a063d294608757bb6eed167b1b1000fc78cb09037cc95 500w-gen-3 PHOENIX
c049d45ae31a9b76cb7cfcf44f1d9884c1660311ee2d61b1495887a81d904a86 yoga-slim-7-carbon-14acn06 INSYDE
9c72ebb1a98d236e0d584f181e75ca048b0272eaab9b4a2424eccd8642e1c67a yoga-slim-7-carbon-13itl5 INSYDE
ca1fbd084c1951eb1f9dbe4ad6812c0e8506e9bb057895d06d9dc404b79429b3 thinkbook-16-g4-plus-iap INSYDE
b43835cda195026a97e9fca799ca560b0ead4d3da3c73c5f74dc7f69cf7f4db7 lenovo-slim-pro-9-16irp8 INSYDE
9eebc97e3c5ef2cf193fcd5059783a09af40309a1a6e3994bc80561acd4f83fb ideapad-gaming-3-15imh05 INSYDE
92e12b8296827b22c5a4530b7f0497ed6a620e84c2ca6da6e308240507306828 ideapad-creator-5-16ach6 INSYDE
7a7cffe9458da9e162abdb89f4b2fc19332492472b55c14d83b2435e6ff209cb thinkbook-14-g4-plus-ara INSYDE
63fdb0366067554dc1c511cffbf0216d500439574ad40f4bde5ae5c2def8b38e yoga-slim-7-pro-14ach5-d INSYDE
9a21333fe796e37e532ef591561e0c7d6c60a36b30fce37f7f35349c4919ba95 ideapad-gaming-3-15ach6 INSYDE
7cbdb4c2db5593c59a4afbdfe7098db4a071028a1b0eb4d73ab768f8bcaf30d6 yoga-slim-7-prox-14iah7 INSYDE
68c37389316a0c7748a60bcd1e61de575d1eba66f2412b4ee907f13d84ce70f6 yoga-slim-7-prox-14arh7 INSYDE
3b70e98f12870c411331ef5eb646aff48dcfacf9b704e8fe5bab036cb2a431a8 ideapad-gaming-3-15arh7 INSYDE
3809e1c46af53be5086ba9ae171fa3e1eb026edf4c2c39b9c18247bf4221df6d ideapad-gaming-3-16iah7 INSYDE
f21f246933296909a7be66bdaf791b3e57561d32ad412904b866466ce69bde7f thinkbook-14s-yoga-itl INSYDE
d86e574f216dce1f2e01d7bd3bb17cfe625b9e97e375ce9d8acf8297ba6193f7 yoga-slim-7-pro-14iah7 INSYDE
82255ef3e2a4284b0c2ec87025f6ed584c6e43b0ca691f2af473eb0459960f9b yoga-slim-7-pro-14iap7 INSYDE
72e62dd1e5dda74a52502c9fd74dc88f485e88a2b6e055bca39e59ee46fc6756 yoga-slim-7-pro-16ach6 INSYDE
cf1f45a06136901ee99e383d2b6481d96d760fc05fb1fa0270e17733b3468dbf ideapad-slim-3-14iru8 INSYDE
c70ad930a3726c5cf118e6d40e39467d3670ed31358bae5b16181ddcfc356cb0 thinkbook-plus-g3-iap INSYDE
63de84eb9be1ffe8e70f8cdc9b2a5190214569571e04c96843459725a081011a ideapad-slim-5-14abr8 INSYDE
39043b50caf912ae2e7f30445cad0d3c175671e7d0697e1b112b290314c404a8 thinkbook-plus-g2-itg INSYDE
dc9b09999dc32f01acf2a1a4b2a35ad6afb272a144dd99c35671bc66ffe936c4 ideapad-5-pro-14acn6 INSYDE
d53ba1020173d7eea22342047b956047a97213ce54c0084d5dc93d121bcd1b47 legion-5-pro-16arh7h INSYDE
c058753d0f7bfd25203358216c3cc0612d1ebd653d7e8834ae7c2a8c904e67b9 legion-pro-7-16irx8h INSYDE
9de995e478041484a19c07e4ffec2a54c8c0f82b72895c78db005a5e0c2107cf ideapad-pro-5-14irh8 INSYDE
932e5c3b0d1b5e31e80379bdea6c75a5d72c024478f8648f59f72b445f726289 slim-7-carbon-13iap7 INSYDE
87334a97ef144fbc9898534b69fee7f1ae38f8dc08f6855872720247fed95ac3 ideapad-5-pro-16ihu6 INSYDE
723c250f7d74184d69987cc00cd9ede8bfd136babdfa813a3d6afab1af8a11fa ideapad-pro-5-16irh8 INSYDE
6d865ac870050421473a939a9b3122d1b590264d1b0b21173c49629c6cc3ded8 ideapad-pro-5-14arp8 INSYDE
64d0d49232426be3e95b982d7c63ec7a86be3efdb36d1820ee8091ee8ed7a73a ideapad-5-pro-16iah7 INSYDE
5ebd9c8ff3949428454865a4e62971c8e19d68bb6d525c27a26b313985708227 slim-7-carbon-13irp8 INSYDE
4ed12d0b921bcbdb4d836e42e821341cd34ef004bbb724dd681812c9bd2fbc47 lenovo-slim-7-16arh7 INSYDE
49a154d5a218d868f0acd6e9cc0bf3c268c59bc265c6d44c44e2efe9b0f1856d thinkbook-16p-g4-irh INSYDE
490ee86708e77a073c9d9f5479b4a9bd819765586b44aab548024281f6e034ce legion-slim-5-16irh8 INSYDE
45b6641749c9e957cc0777888808ff262a3bccff36fa9612460e0ae0e5d3af11 ideapad-pro-5-16arp8 INSYDE
3e27d91dc3a1f16b462e8c0d99452d32f44caf1dc72a9b7a614289647a576b73 thinkbook-16p-g3-arh INSYDE
21dd27ac8cac25326c69a6af8a4fb3d726ca1af443fac0486f63e4bc67d4debc thinkbook-15p-g2-ith INSYDE
1533e6d0ac4326ab1eb8ccc02eec08365f87ef086ee3f466ad8397b641343db1 ideapad-5-pro-16arh7 INSYDE
116c3aac429fcf168e35f512aa152af6541286fa21b30f50f07690814c698019 ideapad-5-pro-14itl6 INSYDE
0e0e8bb8e72a33c92c3d6abbbe9730acc0f2b53bd636c7b13f1381e5a6ad9a97 thinkbook-14p-g3-arh INSYDE
06a85656d34f1e79f0495050520ddb255d365a6c8847c1b188cd7974ff5370d6 thinkbook-16p-nx-arh INSYDE
00bcd2e0a4ad902835fadb423fe823b68f2bc2de2f4a72a13bac5e57cf5b830c ideapad-pro-5-14aph8 INSYDE
fcf9699ebc46ce56a7e139921cfb853145895ec6f9ba8dad66596261dfb2b6b8 thinkbook-14-g5-irl INSYDE
fc627a69afec7e8a4a84d5323ef20802fe868830e0164d423320e5e8a2e800d1 thinkbook-15-g4-aba INSYDE
b3282fcb2d0802e93f7a61b4d942741546f949b635d66d0e33bcbe9a27ed1b41 thinkbook-15-g4-iap INSYDE
abb8e73481c7917f5d20e9a4dddb8481975c6fa4b085b26a42e608cb5c88c411 yoga-slim-7-13acn05 INSYDE
a2f004322d2646fc82fe3e7175d87634d273f2ba2bb46492a581bb64e19f5209 thinkbook-15-g3-itl INSYDE

Firmware SHA256 Firmware Name IBV
99fd352586ce4b1008dbb6121579494f6ec209493d6619e4c89c00538dc0403a thinkbook-14-g5-abp INSYDE
86ba9ceb2ce3f98f7899aa180811ab1c9a62114ae037a7f25edc3f20c0dc28fb thinkbook-15-g3-acl INSYDE
7c1f557b3adb29f66666ecf50a6543fbaac3c172bd8d669a95f74550a0af3759 legion-5-pro-16ach6 INSYDE
5d1a34448fc73bf7bf1e93ea2e7bfcbbb42f711853cc84be4b98dd98d1ba2bcc thinkbook-14-g2-itl INSYDE
e8a961c0d5dd3826e10e587f930532ab9619c4a1a1378e688804ce302831d17b yoga-slim-6-14iap8 INSYDE
e2a4ec4742a3bcc8aebbe21dd430f15c290dbc35d0c48b685fdb466cb2e0e45d yoga-slim-6-14irp8 INSYDE
b6005ab451c565dd93078d85d55b2d5c94b987e1d95218ba0e85e93d55d74211 legion-5p-15imh05h INSYDE
ac72bfb2549d2f9614689530dc52f1b56d73dd1cd2d7ac414a498a56f0ad88be yoga-duet-7-13itl6 INSYDE
703cc02c4962ae11c5c2bef6b29e0013ff51f94d0f564a27a3b3742fd5d58e42 yoga-slim-9-14iap7 INSYDE
e875178cab5f7819eaff080ddb822a45e1859e6e78777222953fe6b6e80c2590 yoga-aio-9-32irh8 INSYDE
cda60a2a2a732142a2623769e484f51ade3e2939bb1eb89d2dac2f50f5dd86f4 lenovo-s14-g2-itl INSYDE
ba5041f65548510ab32ac838ac8b3054a307cd50e6862932e1f9d5e15402d3ed ideapad-3-14itl05 INSYDE
a7000dbb987ecccecf18c13fefe022f99555c57c7bb881c6837ace62bfc0fc34 ideapad-5-14alc05 INSYDE
917afd374b8d4efd47c49c14fb3cfb9bec25e4382480ae5d5739c9bc49e92410 ideapad-5-15itl05 INSYDE
83a76f3bfac11f2f167647b8bc68ac320ef95372f84e0a46b43c2ace2270bee6 slim-7-pro-14ihu5 INSYDE
491c5872329872171256a87c4b8783a16240afb4a0e276e54e5a67f8199adf9b yoga-pro-9-14irp8 INSYDE
41738a37dfd4de42a853753d15c117f22eeb27f716add0756cd44c7ad5e26051 thinkbook-13x-itg INSYDE
37bce5b079f9b6445ec4f951093a3073600a100fc3b2b0f55c4b5cc09d582853 yoga-pro-7-14arp8 INSYDE
343b65e30a6cdd04504832f02c9a62929df4b593e5bbb2905f17cc576a9698df lenovo-v14-g4-iru INSYDE
17ed5fd57a771ffc46b92421d3f20c7978f32d0c16d9098a5a2f78435cd0e846 yoga-pro-7-14irh8 INSYDE
0aa853d42123f292a9f029f2911e8b782cbe29e584618d53629fc1b29763422b thinkbook-15p-imh INSYDE
07e7fa3d1f9bd5c86c4cc4bff73931ed6496ec3729c19161aa93c4a078a8a20e ideapad-5-14itl05 INSYDE
ed6bac54478a904cffb73d43e728380c1a4adcf7f0b18e18bc2b893ae73a54cb ideapad-5-15ial7 INSYDE
ea0a5f36ba54e02e7147572e8229e29aed476ad448d34cca7a3fdec3b2b4e8c6 ideapad-5-14ial7 INSYDE
cc89c57b4c808c37124ed879507dfeac92e47b7fc41b985382a29781e84754a3 ideapad-5-14aba7 INSYDE
c481d35b3c9da73cd21ca5bdc868d9c3b9a8e378485ecb6432c4ad0df4c33058 legion-7-16arha7 INSYDE
bdc30a60dc267f8d54a15c739551efa39dbdfd864ed97a8f30138bc5566ae6ce legion-5-15iah7h INSYDE
9545ca8b4f73491eaac1e4bdac281c586bab04934a6abc26b4811dfb91cba5ea ideapad-1-14iau7 INSYDE
712463f4e16b22ca43d9464dc20c122e55857b0673a3934f104651a662d57188 legion-s7-16irh8 INSYDE
581422831861b928e5dd17c68e36bba597ba55a80d01796e34d2ba6d16169d97 legion-5-15ach6a INSYDE
47b30c12ac32376d7b7f11c9e1b42373aa22ee9330f1671cf6f87925898ab394 legion-5-17ach6h INSYDE
c0fe6a57c7f6b8e27167a09696a7ff37568ae5679d09e76b205cba909f46598f legion-5-17ith6 INSYDE
9025ecd01abdfdf352620bf9d882b0895cfd9fe3a418c9b2356848714e528bea legion-7-16iax7 INSYDE
0f9469bbe7f48f12ae444501fc80b231bf37378ab93dea2407f17e3f8f54a0b7 legion-5-15imh6 INSYDE
b979d31694cedc0a69b0f1741e98f5a223b2d2a4365b7976144054205712ab1a slim-9-14itl05 INSYDE
e7acfeaa3a10cf6245ca1b4bd8e4020f5dc0d8bd9551fbee64215ee947931b8b yoga-9-14iap7 INSYDE
a35e8ad66d9b5671a021ad50a128a76319a4b8d4c894d1666370da5b1e88d0f2 yoga-7-14irl8 INSYDE
94b8575fcbda9e2dbc90c285817a7b04203ee5b398f0467e65382d8de8ba8e79 yoga-9-14irp8 INSYDE
83d9d77d0d92670b2125301bdca2269e606e58690ac74e13d16c462c123c75eb yoga-7-14itl5 INSYDE
6a0fd1c866c8045734beb80e0e01f218b05d767864dc57adf0ee2a76036d9b2c yoga-6-13abr8 INSYDE
69b1c059bb1762d415ba5ab70ddbe5473f2446e24e129401c83b00ec7c3233d6 slim-7-14arh7 INSYDE
5fcf5e54e1aaf566673bfbbf20a534df115a405f0fd6dd897b14bc101cd4380f yoga-7-14ial7 INSYDE
538f8d2c146dc0fe9cece93e9a40347b02c4a1c79565120e56968b4ae877fc87 yoga-7-14arb7 INSYDE
3dba5c7b03657541a5845622927873b2d262827757ebc9b47596dba7430d67bb yoga-6-13alc7 INSYDE
3d7c8f3b1d1593405e5856ca7476b8a1a7ffbe871fcadc6626a54c8a384e7818 yoga-7-14arp8 INSYDE
30437f4e2483793ac669d8e34f1419ad399ddf33a8d156e542587bfa8059ec01 yoga-7-14acn6 INSYDE
03d37906868c7208650c4028cc8d7d379c98238d21f70e6194354ddae43bf79b slim-7-16iah7 INSYDE
563854363ecb14ac0e06d6eb0a379fffead17ca4d7e9f12a3a82d380e49e9f82 s540-13itl INSYDE
1e835bb11de9e5ae297025cc8b97aae94fdbcdecdf60c76105916b508700517c 5-15iil05 INSYDE
a30324477402cc892c0d01cdac54d58e9ca74e83a21687d2225bdc6f9b02e91a thinkcentre-m75q-gen-2-type-11jn AMI
ad4b6fbfd46e54b936877eb07241884fefab2def7cbc920c9ef06759c652dccb thinkcentre-m75s-gen-2-cezanne AMI
e7507b8640989442ef0dc8e3229ca461cfc93bf1195acf1fab60f855542e73fe ideacentre-gaming-5-17acn7 AMI
99d69181b34c4b6a7a473819de84559466553eb11470febbb4a7de35394f22e7 thinkcentre-m75q-gen-2 AMI
633a4ac1b0454cf9ade2b9c709836d0388c4dcc01c6e8a9d9498b56259e9f10d thinkcentre-m75s-gen-2 AMI
0f67e2143a15ac811eeade9bf797da614aa9983902f3058c3e057cc4546d4676 thinkcentre-m75t-gen-2 AMI
6b300725000c12a943331fe41dcb838c4ae73c1ef072c0732b9d8cc30a6f3a64 ideacentre-3-07ada05 AMI
50031e2bd2517da06da4c601611ab7006c3342e31e0421a9c79aad7b17f2a8a3 ideacentre-3-07ach7 AMI
d353fe465045d7f089060164032cd87f41332a99275edba8f3b37a5ed4c91354 thinkcentre-m90n-1 AMI
030cc9dbd4f4cf255d4a22eb68ebd5016d2ee94b44003ed002ed272564ee7b0d thinkcentre-m75s-1 AMI
ed7506185df3328be559b9168b400f83bfb409e925c837eb2f299f2fbb09920e thinkstation-p620 AMI
b7bd6dda1075ab49cfcafc181c47d5195c2f7939ca6f26aee69df69c01204d43 legion-t5-28imb05 AMI
af01d82108b980088823e71932546bdea5e0248565e495f6b3c4876cf15f72ae thinkcentre-m630e AMI
02276d9cef00a8ae90416b2b2a6a6fc475b9f049bfa6d7a9173bbd2469cdc56f thinkstation-p358 AMI
b9a0f4332d926332c894b95db3f4249b1d5c2958e8bd79b469db608464279189 legion-t5-26amr5 AMI
af2d2ebdf6372be914901ed95418da58ec59a39e3cdfc61cc454e55582db1d04 v55t-gen-2-13acn AMI
68bef25a337a3d30619802f079d9ddaccf2a8dbb798f5ac4c79c8858e72c8d9b legion-t7-34irz8 AMI
0545325e0de4ef4307feed4d9b0421911e33ce2fb1780c1094cdbd46042bc150 legion-t5-26iab7 AMI
0328b7c4f1cb6d6804aecf1ab6727d3c16a5f0aeab01ee0c335ebc84abdb2f28 legion-t5-26iob6 AMI
849a186a41e81ad53a0dc6dd637a40756fdd6a22afe0ccf0d824a965855657ce thinkedge-se50 AMI
2c3c42affc1801ab7505e0a9b2ca60ab3e9fc0bdc21d2ad3362f1103b85de68b aio-3-24alc6 AMI
bf213fcd861822d70eb9c69338a3096f4eed56c41e769851f320d12a0c40dd42 v530-15icr AMI
5acf77741f6ccfa1361615db15acf280da4b2f6521daebfa64452d043fad18f5 a540-24api AMI
1372ce9078029ca7f6aec83e2f9574bf778a5ae31e165991531429f34bd42922 510s-07ick AMI
7da53c133a62faca4d0c8437a8041b225d7a6c35d21192ff1a21e1e1547b39f7 5-14are05 AMI
66090831b56ccb0828b6f43d428e75e7e988e35436b9d3e9d86b54181e7197a4 m75q-1 AMI

How to fix it

The easiest way to fix this issue is to disable the support for user-supplied logos.However, on the longer term, we the recommended to either support only BMP files and use the well-tested BMP parsing libraries to process the logos.In case Lenovo wants to support multiple image file formats then we recommend to thoroughly test any image parsers shipped with Lenovo firmware.

Disclosure timeline

This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.

Disclosure Activity Date (YYYY-mm-dd)
Lenovo PSIRT is notified 2023-06-21
Lenovo ID (LEN-132940) is assigned 2023-06-22
CERT/CC is notified 2023-07-10
Insyde PSIRT confirmed reported issues 2023-09-10
AMI PSIRT confirmed reported issues 2023-10-05
Insyde PSIRT assigned CVE ID 2023-11-27
Phoenix PSIRT assigned CVE ID 2023-11-30
AMI PSIRT assigned CVE ID 2023-12-01
Insyde advisory release date 2023-12-06
Phoenix advisory release date 2023-12-06
BINARLY public disclosure date 2024-01-22

Acknowledgements

Binarly REsearch Team

Tags
No items found.
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner