CVE-2023-5058

Vulnerability

A vulnerability in Phoenix SecureCore™ Technology™ 4, a UEFI firmware, arises from improper input validation during the parsing of user-supplied splash screen images (logo images) at early boot. The flaw exists in image parsing libraries that process these image files from the EFI system partition (ESP) [1]. Because these libraries run in a high-privilege context (the UEFI Driver Execution Environment, DXE), a malicious or malformed image can trigger a buffer overflow or other parsing error, leading to denial-of-service or arbitrary code execution [2]. Affected versions include all releases of Phoenix SecureCore™ Technology™ 4 prior to the fixed firmware update [2].

Exploitation

An attacker must have local privileged access (e.g., administrator-level or the ability to modify files on the ESP) to place a specially crafted splash screen image in the ESP [1]. No user interaction is required beyond the attacker's ability to write to the ESP; the vulnerable code path is triggered automatically during the next system boot. Additionally, an attacker could bundle a malicious image into a firmware update package, exploiting the vulnerability during a firmware flash [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the UEFI DXE phase, which operates at the highest privilege level in the firmware environment [2]. This can bypass Secure Boot mechanisms, compromise system integrity, and enable persistent, stealthy control over the device [2]. The attacker could also cause a denial-of-service, preventing the system from booting normally. The compromise is at the firmware level, making it difficult to detect or remove by standard OS security measures.

Mitigation

Phoenix Technologies recommends customers update their firmware to the latest version provided by their hardware vendor, which includes a fix for this vulnerability [2]. The specific release date of the patched firmware may vary by vendor. If no update is yet available, organizations should restrict physical and administrative access to systems to reduce the risk of local exploitation. There is no known workaround that does not involve a firmware update. This CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.