Summary
Lenovo firmware allows end-users to customize the logo displayed by a device during boot.BINARLY REsearch team has uncovered multiple critical vulnerabilities in the image parsing libraries used to parse customized boot logos.This vulnerability poses a high-severity risk as it introduces an unexplored attack surface that can be exploited by malicious actors with only write permissions over the EFI System Partition (ESP) of a device.Our analysis over a dataset of Lenovo firmware identified hundreds of Lenovo products affected by this issue, including devices running firmware developed by Insyde Software, American Megatrends International and Phoenix Technologies.Given the systemic industry-wise scope of this vulnerability we will refer to it as LogoFAIL.
Vulnerability Information
- BINARLY internal vulnerability identifier: BRLY-2023-006
- Insyde PSIRT assigned CVE identifier: CVE-2023-40238
- Phoenix PSIRT assigned CVE identifier: CVE-2023-5058
- AMI PSIRT assigned CVE identifier: CVE-2023-39538
- CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Lenovo firmware with confirmed impact by Binarly REsearch Team
IBV |
Device/Firmware |
SHA256 |
Insyde |
J1CN38WW |
43aa868a91a522fc356d7bb37f9209cc52c393bc4e93974e8eda5b66b1bcf70a |
Phoenix |
GZCN32WW |
14dcb831104f5f66ea038eda1e7e2b1c5bf14049e9cbf1f50cc9f75befd2888e |
AMI |
M47KT28A |
a30324477402cc892c0d01cdac54d58e9ca74e83a21687d2225bdc6f9b02e91a |
Vulnerability Summary
An attacker can exploit LogoFAIL by storing a maliciously crafted logo image on the ESP of the victim device (e.g., under \EFI\lenovo\logo\mylogo_2240x1200.bmp
) and restart the system under attack.During the boot process the system firmware will parse the attacker-supplied logo, thus an attacker can exploit any vulnerability in the image parser and take control of the execution flow.LogoFAIL can be exploited by attackers with write access to the ESP of the victim device, and can be used to bypass SecureBoot and infect any operating system.
In the following sections, we explore the functions and protocols used to retrieve a logo image from the ESP.Then, we explore how image parsing libraries and their respective protocols are installed and used during the boot process.
Vulnerability description (Insyde firmware)
How logos are read from the ESP
In Insyde-based firmware the interactions with the ESP happen in a custom protocol (4b11ff5b-590c-4bfe-96a5-04bc5cca5c11
) installed by the OemBadgingSupportDxe
driver.More precisely, the function at address 0x44F4 initializes the variable ImagePath
by concatenating the string EFI\lenovo\logo\
and the content of the NVRAM variable LBLDESPFN
.The function ReadsLogo
is then called, which, as the name suggests, reads the logo stored at ImagePath
and stores the image content and the image size into v21
and v22
, respectively.Next, as a form of integrity checking, the ChecksCRC32
function compares the CRC32 of the image logo with the content of the LBLDVC
variable.When the CRC32 comparison succeeds, the LogoData
and LogoDataSize
parameters are finally set to v21
and v22
.
EFI_STATUS __fastcall sub_44F4(__int64 a1, char **LogoData, _QWORD *LogoDataSize)
{
...
v11 = gRT->GetVariable("LBLDESPFN", &VendorGuid, 0i64, &DataSize, Data);
v14 = "EFI\\lenovo\\logo\\"
ImagePathSize = 2 * (strlen(v14) + strlen(Data+4)) + 4;
ImagePath = Alloc(ImagePathSize);
if ( ImagePath )
{
snprintf(ImagePath, v16, "%s%s", "EFI\\lenovo\\logo\\", Data + 4);
ReadsLogo(ImagePath, &v21, &v22); // sub_419C
v20 = ChecksCRC32(v21); // sub_43E8
if ( v20 >= 0 )
{
*LogoDataSize = v22;
*LogoData = v21;
*(a1 + 16) = *Data; // Setting the logo format (0=BMP, 1=JPEG..)
}
return v20;
}
(Vulnerable) Image Parsing Protocols
During our analysis of a Lenovo Yoga's firmware image, we observed the presence of the following image parsers:
File Name |
File GUID |
Parsing Protocol GUID |
BmpDecoderDxe |
A9F634A5-29F1-4456-A9D5-6E24B88BDB65 |
A6396A81-8031-4FD7-BD14-2E6BFBEC83C2 |
GifDecoderDxe |
1353DE63-B74A-4BEF-80FD-2C5CFA83040B |
D3E104CB-D03E-44B3-85CF-13067484CB11 |
JpegDecoderDxe |
2707E46D-DBD7-41C2-9C04-C9FDB8BAD86C |
A9396A81-6231-4DD7-BD9B-2E6BF7EC73C2 |
PcxDecoderDxe |
A8F634A5-28F1-4456-A9D5-7E24B99BDB65 |
5CBA0791-E45B-4B3B-BEDB-03FD2CDB5331 |
PngDecoderDxe |
C1D5258B-F61A-4C02-9293-A005BEB3EAA1 |
DB585F02-1DD1-41E2-A7E5-D47B7908CF7C |
TgaDecoderDxe |
ADCCA887-5330-414A-81A1-5B578146A397 |
D7B3A214-29B0-499E-A7DD-7353B16620BB |
Upon analyzing them, we discovered that these drivers exhibit a common structure: the driver entry point function registers the corresponding image parsing protocol using InstallProtocolInterface
and the protocol interface comprises of a single function (an exception is the Gif Decoder protocol that exports four functions) responsible for implementing the actual parser for a specific image type.The prototype of the parsing function is the following:
EFI_STATUS sub_1A689C(
unsigned int *LogoImage, unsigned __int64 LogoImageSize,
char* DecodedLogoImage, unsigned int *DecodedLogoImageSize,
int *LogoWidth, int *LogoHeight
)
Combining Reading and Parsing
We then set out to find a function where an image read from the ESP is passed to any image parsers: after some reversing, we found such function (sub_1C27EC
) in the BdsDxe
driver. Finally, we confirmed our findings empirically: saving an image under EFI\lenovo\logo\mylogo_2240x1400.bmp
and setting the NVRAM variables LBLDESP
and LBLDVC
accordingly was enough to make our custom logo shown during boot.
In the upcoming section "Finding Crashes in Image Parsers" we will discuss how we found crashes in the aforementioned image parsers. In particular, we identified an out-of-bounds bug in the BMP parser that allows an attacker to write any memory address in the 4GB region below a specific heap address with arbitrary values.After installing this maliciously-crafted BMP image, we confirmed that the device bricks during the boot process, as the image parser write to an unmapped memory address.To "unbrick" the device, we found two possible solutions:1) Extract the SSD, connect it to another device, mount the ESP partition and remove the logo image2) Reflash the SPI to rewrite LBLDESP variable (this will effectively remove support from custom logo, since the "MaybeLogoSupport" of LBLDESP_STRUCT will be set to 0)
Please note that we followed the official Lenovo recommendation of "hold the power button for at least 10 second", but this didn't work for us and the device remained unable to boot.
Vulnerability description (Phoenix firmware)
For Phoenix firmware, sub_ABD33C of SystemAcpiBgrtDxe
calculates the six different combinations of ("EFI\Lenovo\logo\mylogo", "EFI\Lenovo\logo\mylogo_WxH")
and (".jpg", ".bmp", ".gif")
and check if the resulting file exists on the ESP. When an existing file is found, the function checks whether the CRC32 of the first 512 bytes of the logo matches the content of the variable LBLDVC
. If the check is successful, the logo image is passed to the image parsing protocol installed by the SystemImageDecoderDxe
module.
File Name |
File GUID |
Parsing Protocol GUID |
SystemImageDecoderDxe |
5F65D21A-8867-45D3-A41A-526F9FE2C598 |
D2221EBF-A7C4-4E87-A89E-BCE6E2485A50 |
The internals of this parsing protocol are quite simple: after finding the logo image type by matching various magic numbers, it invokes the correct parser.This image parsing module supports the following image types: JPEG, GIF89, GIF87 and BMP.
Vulnerability description (AMI firmware)
For AMI firmware, both reading and parsing the logo happen inside the AMITSE
driver.In particular, function sub_3A96C
creates a filename by concatenating the content of the variable LnvOemLogoData
and the string "User.gif"
, and stores the content of the resulting file in a global variable (sub_3A1B8
). If this file does not exists, sub_3A96C
will try a similar approach with string "User.bmp"
.
File Name |
File GUID |
Parsing Function |
AMITSE |
B1DA0ADF-4F77-4070-A88E-BFFE1C60529A |
sub_D5C4 |
The execution will then continue until the image parsing library located at sub_D5C4
is called. This function support parsing the logo as a BMP, PNG, GIF or JPEG image.
Finding Crashes in Image Parsers
To evaluate the robustness of the image parsers mentioned in this advisory, we tested each of them with fuzz testing techniques.This resulted in the discovery of multiple crashes in all tested parsers, except for the PNG parser contained in the Insyde-based firmware.These crashes cover a wide range of issues, from less severe out-of-bounds reads to more critical out-of-bounds arbitrary writes where the attacker controls both the target memory address and the written content.In the next sections we summarize the crashes we found during this security evaluation.
Insyde
Rule ID |
CVE |
Module Name |
Rule Description |
BRLY-LOGOFAIL-2023-001 |
CVE-2023-40238 |
BmpDecoderDxe |
Lack of BmpHeader->ImageOffset validation will lead to OOB Read during BMP file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-002 |
CVE-2023-40238 |
BmpDecoderDxe |
OOB Write in RLE8 decode routine during BMP file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-003 |
CVE-2023-40238 |
BmpDecoderDxe |
OOB Write in RLE4 decode routine during BMP file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-004 |
CVE-2023-40238 |
BmpDecoderDxe |
Lack of ClearCode validation in LZW decoder leads to multiple OOB Read/Write operations during GIF file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-005 |
CVE-2023-40238 |
GifDecoderDxe |
Weak index checking leads to CompressedData OOB Read during GIF file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-006 |
CVE-2023-40238 |
GifDecoderDxe |
Lack of Code validation in LZW decoder leads to multiple OOB Read/Write operations during GIF file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-007 |
CVE-2023-40238 |
GifDecoderDxe |
Unchecked ImageSize (which depends on ImageWidth and ImageHeight) results in allocation of a zero-sized buffer and subsequent writing to it during GIF file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-008 |
CVE-2023-40238 |
JpegDecoderDxe |
Usage of uninitialised JfifData.SosPtr pointer leads to null pointer dereference (in case when JPEG_SOS is not covered during the parsing) during JPEG file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-009 |
CVE-2023-40238 |
JpegDecoderDxe |
Improper loop exit condition will lead to OOB Read from ImagePtr during JPEG file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-010 |
CVE-2023-40238 |
JpegDecoderDxe |
Unchecked DqtCount leads to null pointer dereference during JPEG file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-011 |
CVE-2023-40238 |
PcxDecoderDxe |
Improper input validation leads to OOB Read vulnerabilities during PCX file processing in Insyde firmware |
BRLY-LOGOFAIL-2023-012 |
CVE-2023-40238 |
TgaDecoderDxe |
Improper input validation leads to OOB Read/Write vulnerabilities during TGA file processing in Insyde firmware |
Phoenix
Rule ID |
CVE |
Module Name |
Rule Description |
BRLY-LOGOFAIL-2023-025 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of synchronization between PaletteSize calculated from BitsPerPixel in BMP Image Header and PaletteIndex calculated from data in BMP Image allows OOB Read in Phoenix firmware |
BRLY-LOGOFAIL-2023-026 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of synchronization between ImageSize in BMP Image Header and ImageIndex allows OOB Read in Phoenix firmware |
BRLY-LOGOFAIL-2023-027 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of synchronization between PaletteSize calculated from BitsPerPixel in BMP Image Header and PaletteIndex calculated from data in BMP Image allows OOB Read in Phoenix firmware |
BRLY-LOGOFAIL-2023-028 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on array index leads to OOB Write operations on global data during GIF file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-029 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on array index leads to OOB Write operations on global data during GIF file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-030 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Improper input validation leads to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-031 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-032 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-033 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-034 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-035 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-036 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on output buffer leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-037 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on output buffer leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-038 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-039 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Improper input validation leads to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-040 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-041 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-042 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-043 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-044 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-045 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-046 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware |
BRLY-LOGOFAIL-2023-047 |
CVE-2023-5058 |
SystemImageDecoderDxe |
Lack of validation on chunk length will lead to OOB Read during JPEG file processing in Phoenix firmware |
AMI
Rule ID |
CVE |
Module Name |
Rule Description |
BRLY-LOGOFAIL-2023-013 |
CVE-2023-39539 |
AMITSE |
Lack of BmpHeader->ImageOffset validation will lead to OOB Read during BMP file processing in AMI firmware |
BRLY-LOGOFAIL-2023-014 |
CVE-2023-39539 |
AMITSE |
Lack of validation on chunk length will lead to OOB Read during PNG file processing in AMI firmware |
BRLY-LOGOFAIL-2023-015 |
CVE-2023-39539 |
AMITSE |
Lack of validation on chunk length will lead to OOB Read during PNG file processing in AMI firmware |
BRLY-LOGOFAIL-2023-020 |
CVE-2023-39539 |
AMITSE |
Lack of array index validation leads to OOB Write operations on global data during JPEG file processing in AMI firmware |
BRLY-LOGOFAIL-2023-022 |
CVE-2023-39539 |
AMITSE |
Lack of validation on number of Huffamn tables leads to OOB Write operations during JPEG file processing in AMI firmware |
BRLY-LOGOFAIL-2023-023 |
CVE-2023-39539 |
AMITSE |
Lack of validation on output buffer leads to OOB Write operations during GIF file processing in AMI firmware |
BRLY-LOGOFAIL-2023-024 |
CVE-2023-39539 |
AMITSE |
Lack of validation on array index leads to OOB Write operations on global data during GIF file processing in AMI firmware |
Preliminarly list of affected Lenovo devices
Finally, to evaluate the impact of out findings, we explored an internal dataset of Lenovo firmware. The firmware images contained in the following table matched any of the following rules:- PHOENIX: the module with GUID b8e63775-bb0a-43f0-a843-5be8b14f8ccd
uses LBLDVC
but not LBLDESPFN
- INSYDE: the module with GUID 12aedbea-392d-4e2a-8789-5f6dc6b23661
uses LBLDESPFN
, LBLDVC
and LBLDESP
- AMI: the firmware image contains the strings LnvOemLogoData
and User.gif
Firmware SHA256 |
Firmware Name |
IBV |
1d76bdf63f9ec2472272ec1526dfdcd11397b623bb59b70b04eecc11c8f3a28a |
lenovo-13w-yoga-gen-2-type-82yr- |
PHOENIX |
db938973b534c6b523668e4e95cd2b229023f31d05b33a7e9c07f4da08f34d5f |
lenovo-13w-yoga-type-82s1-82s2 |
PHOENIX |
b2b28688ba1e45e6f8a377817a7782ff0f7fece06128a03d2adc37dc5561443e |
lenovo-500w-yoga-gen-4 |
PHOENIX |
155d55ddea4dc39c34476402b70895169c4f4fbfde25b75753e88078c14bce0b |
yoga-slim-7-pro-14arh5 |
PHOENIX |
14dcb831104f5f66ea038eda1e7e2b1c5bf14049e9cbf1f50cc9f75befd2888e |
yoga-slim-7-pro-14ach5 |
PHOENIX |
eb233270f36bfc7429fb8c495180c29e0e2bc21c01dd203e1e51109fc7d5b893 |
thinkbook-16p-g2-ach |
PHOENIX |
bb05ec781992cb1baff62c282cb346c55bcb49bd5269a90621231567d0b1b3e7 |
thinkbook-13x-g2-iap |
PHOENIX |
99c60719da65fb86566f5d0cf88ed898a31c513b1fdb9732f7414a9ad1ca7c7b |
thinkbook-13s-g4-iap |
PHOENIX |
932bee60fcd1b5b9a719dc004be3da29417dfed0935873372b2899615e1c5546 |
thinkbook-13s-g3-acn |
PHOENIX |
8e68e4dad67aeb254b5006548b7110fc6f39d292a883afdc8ed7dab48525052b |
thinkbook-13s-g4-arb |
PHOENIX |
1f36d9938f792a52ed7590fe7e49b813546a53ee53eb52395e97590b7bf0b525 |
thinkbook-14p-g2-ach |
PHOENIX |
01d5fa9a25ba26ae532a8118bce53f756281b939ba9a86538331b15b6ee5bb66 |
thinkbook-13s-g2-are |
PHOENIX |
b6bd8bd02ac891a4a6c1f449e348cf0e1f430c9fc7fb330c31456d2552c8f881 |
ideapad-5-15alc05 |
PHOENIX |
61b0de3e23983f01b033110e5453e4851ccbc3f0e263e92955a8ffb55c2b50a4 |
ideapad-5-15are05 |
PHOENIX |
2e275c90505ea221dc0df2e3ea6db01d7935c021183b98ac7a830c17875f75fa |
ideapad-3-14are05 |
PHOENIX |
cb66929df86585d6e149d7e2cbec8c3188c0cdbee6453e84a3e2fcda70622ecf |
legion-s7-15arh5 |
PHOENIX |
b8bf19728d6c898f92f62d5d36d4c4fa7a3da6aaed31dce5163e6d0f5914dcc5 |
legion-s7-16iah7 |
PHOENIX |
b800a09abe94bb25ab6b5c60ad5d57e7fd71fb3cec708b51937d3858559fc981 |
legion-s7-15imh5 |
PHOENIX |
a1cede60005eb7d5f8dbe747b3419f50db0552008134ebeab24231cf48961283 |
ideapad-3-17ada6 |
PHOENIX |
84529bfb730625f5280ccd327c7091cbcd7132115f0e90b37ce9181164427b84 |
legion-s7-15ach6 |
PHOENIX |
52e66af20432cc8d7cda77787825451c7822068196235f2cd4a4f27dfeb55c7a |
ideapad-3-17aba7 |
PHOENIX |
3f1ced4b0a868d561c479933c07c02b0f95c1e4cb25910c65560a233f4cc3a8a |
ideapad-5-15aba7 |
PHOENIX |
86b0fd5a3ca5940638a28a794709b72811e15e8167c75e9f6466ea0446abc68b |
yoga-9-14itl5 |
PHOENIX |
2cddcf501b94e7594ad203ebbbf58033fba66f384376faa3dd7c82bd64038192 |
s540-13are |
PHOENIX |
2ccb9acdc52cfb510f5e516ccb8e7125f1e485523a0b70f86f80f7cc9d15c8f1 |
v14-g2-alc |
PHOENIX |
05f62c25f83abf8c9d4a063d294608757bb6eed167b1b1000fc78cb09037cc95 |
500w-gen-3 |
PHOENIX |
c049d45ae31a9b76cb7cfcf44f1d9884c1660311ee2d61b1495887a81d904a86 |
yoga-slim-7-carbon-14acn06 |
INSYDE |
9c72ebb1a98d236e0d584f181e75ca048b0272eaab9b4a2424eccd8642e1c67a |
yoga-slim-7-carbon-13itl5 |
INSYDE |
ca1fbd084c1951eb1f9dbe4ad6812c0e8506e9bb057895d06d9dc404b79429b3 |
thinkbook-16-g4-plus-iap |
INSYDE |
b43835cda195026a97e9fca799ca560b0ead4d3da3c73c5f74dc7f69cf7f4db7 |
lenovo-slim-pro-9-16irp8 |
INSYDE |
9eebc97e3c5ef2cf193fcd5059783a09af40309a1a6e3994bc80561acd4f83fb |
ideapad-gaming-3-15imh05 |
INSYDE |
92e12b8296827b22c5a4530b7f0497ed6a620e84c2ca6da6e308240507306828 |
ideapad-creator-5-16ach6 |
INSYDE |
7a7cffe9458da9e162abdb89f4b2fc19332492472b55c14d83b2435e6ff209cb |
thinkbook-14-g4-plus-ara |
INSYDE |
63fdb0366067554dc1c511cffbf0216d500439574ad40f4bde5ae5c2def8b38e |
yoga-slim-7-pro-14ach5-d |
INSYDE |
9a21333fe796e37e532ef591561e0c7d6c60a36b30fce37f7f35349c4919ba95 |
ideapad-gaming-3-15ach6 |
INSYDE |
7cbdb4c2db5593c59a4afbdfe7098db4a071028a1b0eb4d73ab768f8bcaf30d6 |
yoga-slim-7-prox-14iah7 |
INSYDE |
68c37389316a0c7748a60bcd1e61de575d1eba66f2412b4ee907f13d84ce70f6 |
yoga-slim-7-prox-14arh7 |
INSYDE |
3b70e98f12870c411331ef5eb646aff48dcfacf9b704e8fe5bab036cb2a431a8 |
ideapad-gaming-3-15arh7 |
INSYDE |
3809e1c46af53be5086ba9ae171fa3e1eb026edf4c2c39b9c18247bf4221df6d |
ideapad-gaming-3-16iah7 |
INSYDE |
f21f246933296909a7be66bdaf791b3e57561d32ad412904b866466ce69bde7f |
thinkbook-14s-yoga-itl |
INSYDE |
d86e574f216dce1f2e01d7bd3bb17cfe625b9e97e375ce9d8acf8297ba6193f7 |
yoga-slim-7-pro-14iah7 |
INSYDE |
82255ef3e2a4284b0c2ec87025f6ed584c6e43b0ca691f2af473eb0459960f9b |
yoga-slim-7-pro-14iap7 |
INSYDE |
72e62dd1e5dda74a52502c9fd74dc88f485e88a2b6e055bca39e59ee46fc6756 |
yoga-slim-7-pro-16ach6 |
INSYDE |
cf1f45a06136901ee99e383d2b6481d96d760fc05fb1fa0270e17733b3468dbf |
ideapad-slim-3-14iru8 |
INSYDE |
c70ad930a3726c5cf118e6d40e39467d3670ed31358bae5b16181ddcfc356cb0 |
thinkbook-plus-g3-iap |
INSYDE |
63de84eb9be1ffe8e70f8cdc9b2a5190214569571e04c96843459725a081011a |
ideapad-slim-5-14abr8 |
INSYDE |
39043b50caf912ae2e7f30445cad0d3c175671e7d0697e1b112b290314c404a8 |
thinkbook-plus-g2-itg |
INSYDE |
dc9b09999dc32f01acf2a1a4b2a35ad6afb272a144dd99c35671bc66ffe936c4 |
ideapad-5-pro-14acn6 |
INSYDE |
d53ba1020173d7eea22342047b956047a97213ce54c0084d5dc93d121bcd1b47 |
legion-5-pro-16arh7h |
INSYDE |
c058753d0f7bfd25203358216c3cc0612d1ebd653d7e8834ae7c2a8c904e67b9 |
legion-pro-7-16irx8h |
INSYDE |
9de995e478041484a19c07e4ffec2a54c8c0f82b72895c78db005a5e0c2107cf |
ideapad-pro-5-14irh8 |
INSYDE |
932e5c3b0d1b5e31e80379bdea6c75a5d72c024478f8648f59f72b445f726289 |
slim-7-carbon-13iap7 |
INSYDE |
87334a97ef144fbc9898534b69fee7f1ae38f8dc08f6855872720247fed95ac3 |
ideapad-5-pro-16ihu6 |
INSYDE |
723c250f7d74184d69987cc00cd9ede8bfd136babdfa813a3d6afab1af8a11fa |
ideapad-pro-5-16irh8 |
INSYDE |
6d865ac870050421473a939a9b3122d1b590264d1b0b21173c49629c6cc3ded8 |
ideapad-pro-5-14arp8 |
INSYDE |
64d0d49232426be3e95b982d7c63ec7a86be3efdb36d1820ee8091ee8ed7a73a |
ideapad-5-pro-16iah7 |
INSYDE |
5ebd9c8ff3949428454865a4e62971c8e19d68bb6d525c27a26b313985708227 |
slim-7-carbon-13irp8 |
INSYDE |
4ed12d0b921bcbdb4d836e42e821341cd34ef004bbb724dd681812c9bd2fbc47 |
lenovo-slim-7-16arh7 |
INSYDE |
49a154d5a218d868f0acd6e9cc0bf3c268c59bc265c6d44c44e2efe9b0f1856d |
thinkbook-16p-g4-irh |
INSYDE |
490ee86708e77a073c9d9f5479b4a9bd819765586b44aab548024281f6e034ce |
legion-slim-5-16irh8 |
INSYDE |
45b6641749c9e957cc0777888808ff262a3bccff36fa9612460e0ae0e5d3af11 |
ideapad-pro-5-16arp8 |
INSYDE |
3e27d91dc3a1f16b462e8c0d99452d32f44caf1dc72a9b7a614289647a576b73 |
thinkbook-16p-g3-arh |
INSYDE |
21dd27ac8cac25326c69a6af8a4fb3d726ca1af443fac0486f63e4bc67d4debc |
thinkbook-15p-g2-ith |
INSYDE |
1533e6d0ac4326ab1eb8ccc02eec08365f87ef086ee3f466ad8397b641343db1 |
ideapad-5-pro-16arh7 |
INSYDE |
116c3aac429fcf168e35f512aa152af6541286fa21b30f50f07690814c698019 |
ideapad-5-pro-14itl6 |
INSYDE |
0e0e8bb8e72a33c92c3d6abbbe9730acc0f2b53bd636c7b13f1381e5a6ad9a97 |
thinkbook-14p-g3-arh |
INSYDE |
06a85656d34f1e79f0495050520ddb255d365a6c8847c1b188cd7974ff5370d6 |
thinkbook-16p-nx-arh |
INSYDE |
00bcd2e0a4ad902835fadb423fe823b68f2bc2de2f4a72a13bac5e57cf5b830c |
ideapad-pro-5-14aph8 |
INSYDE |
fcf9699ebc46ce56a7e139921cfb853145895ec6f9ba8dad66596261dfb2b6b8 |
thinkbook-14-g5-irl |
INSYDE |
fc627a69afec7e8a4a84d5323ef20802fe868830e0164d423320e5e8a2e800d1 |
thinkbook-15-g4-aba |
INSYDE |
b3282fcb2d0802e93f7a61b4d942741546f949b635d66d0e33bcbe9a27ed1b41 |
thinkbook-15-g4-iap |
INSYDE |
abb8e73481c7917f5d20e9a4dddb8481975c6fa4b085b26a42e608cb5c88c411 |
yoga-slim-7-13acn05 |
INSYDE |
a2f004322d2646fc82fe3e7175d87634d273f2ba2bb46492a581bb64e19f5209 |
thinkbook-15-g3-itl |
INSYDE |
Firmware SHA256 |
Firmware Name |
IBV |
99fd352586ce4b1008dbb6121579494f6ec209493d6619e4c89c00538dc0403a |
thinkbook-14-g5-abp |
INSYDE |
86ba9ceb2ce3f98f7899aa180811ab1c9a62114ae037a7f25edc3f20c0dc28fb |
thinkbook-15-g3-acl |
INSYDE |
7c1f557b3adb29f66666ecf50a6543fbaac3c172bd8d669a95f74550a0af3759 |
legion-5-pro-16ach6 |
INSYDE |
5d1a34448fc73bf7bf1e93ea2e7bfcbbb42f711853cc84be4b98dd98d1ba2bcc |
thinkbook-14-g2-itl |
INSYDE |
e8a961c0d5dd3826e10e587f930532ab9619c4a1a1378e688804ce302831d17b |
yoga-slim-6-14iap8 |
INSYDE |
e2a4ec4742a3bcc8aebbe21dd430f15c290dbc35d0c48b685fdb466cb2e0e45d |
yoga-slim-6-14irp8 |
INSYDE |
b6005ab451c565dd93078d85d55b2d5c94b987e1d95218ba0e85e93d55d74211 |
legion-5p-15imh05h |
INSYDE |
ac72bfb2549d2f9614689530dc52f1b56d73dd1cd2d7ac414a498a56f0ad88be |
yoga-duet-7-13itl6 |
INSYDE |
703cc02c4962ae11c5c2bef6b29e0013ff51f94d0f564a27a3b3742fd5d58e42 |
yoga-slim-9-14iap7 |
INSYDE |
e875178cab5f7819eaff080ddb822a45e1859e6e78777222953fe6b6e80c2590 |
yoga-aio-9-32irh8 |
INSYDE |
cda60a2a2a732142a2623769e484f51ade3e2939bb1eb89d2dac2f50f5dd86f4 |
lenovo-s14-g2-itl |
INSYDE |
ba5041f65548510ab32ac838ac8b3054a307cd50e6862932e1f9d5e15402d3ed |
ideapad-3-14itl05 |
INSYDE |
a7000dbb987ecccecf18c13fefe022f99555c57c7bb881c6837ace62bfc0fc34 |
ideapad-5-14alc05 |
INSYDE |
917afd374b8d4efd47c49c14fb3cfb9bec25e4382480ae5d5739c9bc49e92410 |
ideapad-5-15itl05 |
INSYDE |
83a76f3bfac11f2f167647b8bc68ac320ef95372f84e0a46b43c2ace2270bee6 |
slim-7-pro-14ihu5 |
INSYDE |
491c5872329872171256a87c4b8783a16240afb4a0e276e54e5a67f8199adf9b |
yoga-pro-9-14irp8 |
INSYDE |
41738a37dfd4de42a853753d15c117f22eeb27f716add0756cd44c7ad5e26051 |
thinkbook-13x-itg |
INSYDE |
37bce5b079f9b6445ec4f951093a3073600a100fc3b2b0f55c4b5cc09d582853 |
yoga-pro-7-14arp8 |
INSYDE |
343b65e30a6cdd04504832f02c9a62929df4b593e5bbb2905f17cc576a9698df |
lenovo-v14-g4-iru |
INSYDE |
17ed5fd57a771ffc46b92421d3f20c7978f32d0c16d9098a5a2f78435cd0e846 |
yoga-pro-7-14irh8 |
INSYDE |
0aa853d42123f292a9f029f2911e8b782cbe29e584618d53629fc1b29763422b |
thinkbook-15p-imh |
INSYDE |
07e7fa3d1f9bd5c86c4cc4bff73931ed6496ec3729c19161aa93c4a078a8a20e |
ideapad-5-14itl05 |
INSYDE |
ed6bac54478a904cffb73d43e728380c1a4adcf7f0b18e18bc2b893ae73a54cb |
ideapad-5-15ial7 |
INSYDE |
ea0a5f36ba54e02e7147572e8229e29aed476ad448d34cca7a3fdec3b2b4e8c6 |
ideapad-5-14ial7 |
INSYDE |
cc89c57b4c808c37124ed879507dfeac92e47b7fc41b985382a29781e84754a3 |
ideapad-5-14aba7 |
INSYDE |
c481d35b3c9da73cd21ca5bdc868d9c3b9a8e378485ecb6432c4ad0df4c33058 |
legion-7-16arha7 |
INSYDE |
bdc30a60dc267f8d54a15c739551efa39dbdfd864ed97a8f30138bc5566ae6ce |
legion-5-15iah7h |
INSYDE |
9545ca8b4f73491eaac1e4bdac281c586bab04934a6abc26b4811dfb91cba5ea |
ideapad-1-14iau7 |
INSYDE |
712463f4e16b22ca43d9464dc20c122e55857b0673a3934f104651a662d57188 |
legion-s7-16irh8 |
INSYDE |
581422831861b928e5dd17c68e36bba597ba55a80d01796e34d2ba6d16169d97 |
legion-5-15ach6a |
INSYDE |
47b30c12ac32376d7b7f11c9e1b42373aa22ee9330f1671cf6f87925898ab394 |
legion-5-17ach6h |
INSYDE |
c0fe6a57c7f6b8e27167a09696a7ff37568ae5679d09e76b205cba909f46598f |
legion-5-17ith6 |
INSYDE |
9025ecd01abdfdf352620bf9d882b0895cfd9fe3a418c9b2356848714e528bea |
legion-7-16iax7 |
INSYDE |
0f9469bbe7f48f12ae444501fc80b231bf37378ab93dea2407f17e3f8f54a0b7 |
legion-5-15imh6 |
INSYDE |
b979d31694cedc0a69b0f1741e98f5a223b2d2a4365b7976144054205712ab1a |
slim-9-14itl05 |
INSYDE |
e7acfeaa3a10cf6245ca1b4bd8e4020f5dc0d8bd9551fbee64215ee947931b8b |
yoga-9-14iap7 |
INSYDE |
a35e8ad66d9b5671a021ad50a128a76319a4b8d4c894d1666370da5b1e88d0f2 |
yoga-7-14irl8 |
INSYDE |
94b8575fcbda9e2dbc90c285817a7b04203ee5b398f0467e65382d8de8ba8e79 |
yoga-9-14irp8 |
INSYDE |
83d9d77d0d92670b2125301bdca2269e606e58690ac74e13d16c462c123c75eb |
yoga-7-14itl5 |
INSYDE |
6a0fd1c866c8045734beb80e0e01f218b05d767864dc57adf0ee2a76036d9b2c |
yoga-6-13abr8 |
INSYDE |
69b1c059bb1762d415ba5ab70ddbe5473f2446e24e129401c83b00ec7c3233d6 |
slim-7-14arh7 |
INSYDE |
5fcf5e54e1aaf566673bfbbf20a534df115a405f0fd6dd897b14bc101cd4380f |
yoga-7-14ial7 |
INSYDE |
538f8d2c146dc0fe9cece93e9a40347b02c4a1c79565120e56968b4ae877fc87 |
yoga-7-14arb7 |
INSYDE |
3dba5c7b03657541a5845622927873b2d262827757ebc9b47596dba7430d67bb |
yoga-6-13alc7 |
INSYDE |
3d7c8f3b1d1593405e5856ca7476b8a1a7ffbe871fcadc6626a54c8a384e7818 |
yoga-7-14arp8 |
INSYDE |
30437f4e2483793ac669d8e34f1419ad399ddf33a8d156e542587bfa8059ec01 |
yoga-7-14acn6 |
INSYDE |
03d37906868c7208650c4028cc8d7d379c98238d21f70e6194354ddae43bf79b |
slim-7-16iah7 |
INSYDE |
563854363ecb14ac0e06d6eb0a379fffead17ca4d7e9f12a3a82d380e49e9f82 |
s540-13itl |
INSYDE |
1e835bb11de9e5ae297025cc8b97aae94fdbcdecdf60c76105916b508700517c |
5-15iil05 |
INSYDE |
a30324477402cc892c0d01cdac54d58e9ca74e83a21687d2225bdc6f9b02e91a |
thinkcentre-m75q-gen-2-type-11jn |
AMI |
ad4b6fbfd46e54b936877eb07241884fefab2def7cbc920c9ef06759c652dccb |
thinkcentre-m75s-gen-2-cezanne |
AMI |
e7507b8640989442ef0dc8e3229ca461cfc93bf1195acf1fab60f855542e73fe |
ideacentre-gaming-5-17acn7 |
AMI |
99d69181b34c4b6a7a473819de84559466553eb11470febbb4a7de35394f22e7 |
thinkcentre-m75q-gen-2 |
AMI |
633a4ac1b0454cf9ade2b9c709836d0388c4dcc01c6e8a9d9498b56259e9f10d |
thinkcentre-m75s-gen-2 |
AMI |
0f67e2143a15ac811eeade9bf797da614aa9983902f3058c3e057cc4546d4676 |
thinkcentre-m75t-gen-2 |
AMI |
6b300725000c12a943331fe41dcb838c4ae73c1ef072c0732b9d8cc30a6f3a64 |
ideacentre-3-07ada05 |
AMI |
50031e2bd2517da06da4c601611ab7006c3342e31e0421a9c79aad7b17f2a8a3 |
ideacentre-3-07ach7 |
AMI |
d353fe465045d7f089060164032cd87f41332a99275edba8f3b37a5ed4c91354 |
thinkcentre-m90n-1 |
AMI |
030cc9dbd4f4cf255d4a22eb68ebd5016d2ee94b44003ed002ed272564ee7b0d |
thinkcentre-m75s-1 |
AMI |
ed7506185df3328be559b9168b400f83bfb409e925c837eb2f299f2fbb09920e |
thinkstation-p620 |
AMI |
b7bd6dda1075ab49cfcafc181c47d5195c2f7939ca6f26aee69df69c01204d43 |
legion-t5-28imb05 |
AMI |
af01d82108b980088823e71932546bdea5e0248565e495f6b3c4876cf15f72ae |
thinkcentre-m630e |
AMI |
02276d9cef00a8ae90416b2b2a6a6fc475b9f049bfa6d7a9173bbd2469cdc56f |
thinkstation-p358 |
AMI |
b9a0f4332d926332c894b95db3f4249b1d5c2958e8bd79b469db608464279189 |
legion-t5-26amr5 |
AMI |
af2d2ebdf6372be914901ed95418da58ec59a39e3cdfc61cc454e55582db1d04 |
v55t-gen-2-13acn |
AMI |
68bef25a337a3d30619802f079d9ddaccf2a8dbb798f5ac4c79c8858e72c8d9b |
legion-t7-34irz8 |
AMI |
0545325e0de4ef4307feed4d9b0421911e33ce2fb1780c1094cdbd46042bc150 |
legion-t5-26iab7 |
AMI |
0328b7c4f1cb6d6804aecf1ab6727d3c16a5f0aeab01ee0c335ebc84abdb2f28 |
legion-t5-26iob6 |
AMI |
849a186a41e81ad53a0dc6dd637a40756fdd6a22afe0ccf0d824a965855657ce |
thinkedge-se50 |
AMI |
2c3c42affc1801ab7505e0a9b2ca60ab3e9fc0bdc21d2ad3362f1103b85de68b |
aio-3-24alc6 |
AMI |
bf213fcd861822d70eb9c69338a3096f4eed56c41e769851f320d12a0c40dd42 |
v530-15icr |
AMI |
5acf77741f6ccfa1361615db15acf280da4b2f6521daebfa64452d043fad18f5 |
a540-24api |
AMI |
1372ce9078029ca7f6aec83e2f9574bf778a5ae31e165991531429f34bd42922 |
510s-07ick |
AMI |
7da53c133a62faca4d0c8437a8041b225d7a6c35d21192ff1a21e1e1547b39f7 |
5-14are05 |
AMI |
66090831b56ccb0828b6f43d428e75e7e988e35436b9d3e9d86b54181e7197a4 |
m75q-1 |
AMI |
How to fix it
The easiest way to fix this issue is to disable the support for user-supplied logos.However, on the longer term, we the recommended to either support only BMP files and use the well-tested BMP parsing libraries to process the logos.In case Lenovo wants to support multiple image file formats then we recommend to thoroughly test any image parsers shipped with Lenovo firmware.
Disclosure timeline
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
Disclosure Activity |
Date (YYYY-mm-dd) |
Lenovo PSIRT is notified |
2023-06-21 |
Lenovo ID (LEN-132940) is assigned |
2023-06-22 |
CERT/CC is notified |
2023-07-10 |
Insyde PSIRT confirmed reported issues |
2023-09-10 |
AMI PSIRT confirmed reported issues |
2023-10-05 |
Insyde PSIRT assigned CVE ID |
2023-11-27 |
Phoenix PSIRT assigned CVE ID |
2023-11-30 |
AMI PSIRT assigned CVE ID |
2023-12-01 |
Insyde advisory release date |
2023-12-06 |
Phoenix advisory release date |
2023-12-06 |
BINARLY public disclosure date |
2024-01-22 |
Acknowledgements
Binarly REsearch Team