-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center.
-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center.
- HP Community
- Notebooks
- Notebook Boot and Lockup
- LogoFail Vulnerability Patch
Create an account on the HP Community to personalize your profile and ask a question
12-07-2023 04:54 AM - edited 01-10-2024 11:13 AM
Hi All, I am looking for an update from HP that addresses the LogoFAIL security vulnerability (CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238). The HP Support Assistant app tells me that there are no updates available (has been like this for months now), however the Hewlett Packard support website did have a more recent BIOS version available (F.13 Rev. A) which I have installed, but there are no associated release notes as far as I can see. The vulnerability seems particularly serious as it is pre-OS and bypasses all boot security measures, so am keen to get this patched as soon as possible.
So 2 questions: has HP released any updates to address LogoFAIL, and if so is BIOS Update F.13 Rev.A it?
Many thanks
[Note: I have a HP Envy x360 Laptop, in support until 2025]
[UPDATE 16-Dec-23: Contacted HP Support through WhatsApp, they tried their best (very slowly, over 3 days) but haven't even heard of the issue and gave up, pointing me instead to telephone tech support - I'll chase up after the weekend to see if I can get an answer and let everyone know here]
[UPDATE 18-Dec-23 I spoke with tech support in the UK and they were unaware of the issue and unable to help - although did offer to reset my laptop and put me in touch with Microsoft - neither of which have anything to do with the security vulnerability 🙂 . I tried asking to escalate, they claimed there was nothing else they could do, but then offered a call-back with a different tech support agent. This hasn't happened yet, @HP Moderators - anything you can do?
[UPDATE 19-Dec-23] The promised call back from HP didn't happen, so I did a little more investigation. I am not a cyber security expert, but this resource looks really useful as it highlights the position of each of the vendors/manufacturers : VU#811862 - Image files in UEFI can be abused to modify boot behavior (cert.org). At time of posting this, HP have either not investigated this issue, or have not yet shared the results/a plan for resolution. (unlike others: BIOS Image Parsing Function Vulnerabilities (LogoFAIL) - Lenovo Support US)
[UPDATE 20-Dec-23] I have found the HP Site where the security update should be announced (https://support.hp.com/gb-en/security-bulletins) there are some UEFI related ones in there already, but no confirmation they specifically address Logo FAIL. There is an enterprise announcement, however: Hewlett Packard Enterprise Critical Product Security Vulnerability Alerts (hpe.com), so perhaps the consumer device side of the business will follow soon. Fingers crossed!
[UPDATE 10-Jan-24] a month since I posted this and still nothing from HP. I have found out indirectly that AMI (the Independent BIOS Vendor who supplies HP for my HP manufactured motherboard) have released an update to address LogoFAIL, it is HP's responsibility to update the BIOS for my laptop - COME ON HP!
01-03-2024 12:10 PM
My experience trying to interact with HP support on this topic has been pretty much the same. Support has no clue, have never heard of the vulnerability, and the Level 1 tech support woman I spoke to (very nice but clueless) offered to escalate which only resulted in my getting a generic email with the same security bulletins link which as ScootJ noted as no mention of this particular vulnerability. Lucky for us, only ~15% of our inventory is HP (rest is Lenovo, and they are ON TOP of this), and we are definitely NOT buying any more. Major FAIL HP!
01-03-2024 05:38 PM
I believe Logofail was only discovered or the vulnerability made public in early December. Anything issued prior to that won't address it. Fwiw, Asus issued BIOS updates for many of their current motherboards on Dec 28th. I have an HP Pavilion but I'm not holding my breath for a timely BIOS update.
01-04-2024 05:32 AM - edited 01-04-2024 05:38 AM
Security researchers Binarly went public on the 29th Nov 23, LogoFAIL looks to be an umbrella term for a number of specific but related vulnerabilities, no doubt discovered over a number of months. Binarly's article implies suppliers were alerted well before November 29th (The Far-Reaching Consequences of LogoFAIL | Binarly – AI -Powered Firmware Supply Chain Security Pla...). I am not expecting an immediate fix as HP BIOSs are supplied by AMI (one of the affected 'IBV's) - so HP will largely be dependent on them to sort it. However, given the nature and impact of the issue, I do expect an immediate and proactive response from HP confirming whether this is indeed a vulnerability we should be concerned about, and a rough timescale for a fix. I.e. pull your finger out HP and issue some authoritative comms around this!
01-05-2024 04:42 AM
interesting, I had a BIOS update dated 05-Sep-2023 - may have fixed the problem too, but no associated release notes shared so I can't tell. In the absence of any comms from HP I'd rather assume the worse in situations like this.
01-08-2024 09:04 AM
My BIOS update had this description on the HP site: Provides improved security of UEFI code. NOTE: HP strongly recommends promptly transitioning to this updated BIOS version which supersedes all previous releases. That sure sounds like it's the Logofail fix to me.
01-08-2024 10:09 AM - edited 01-08-2024 10:21 AM
Looks like there's a new security update from HP: AMD Client UEFI Firmware November 2023 Security Update | HP® Customer Support. It is EUFI related, but doesn't appear to address the CVEs under the LogoFAIL umbrella, and doesn't mention LogoFAIL. Also says 'Consumer Notebook PCs' are 'Under investigation'. So unfortunately none the wiser right now - back to waiting ....
01-08-2024 11:03 AM
When you search for "logofail" in the "knowledge library" the only hits are this thread and others asking for a status update.
It's still unclear to me how this vulnerability is exploited on a home PC. The articles about it say no physical access to the computer is required which implies it must be introduced via the internet. Since it can bypass secure boot protections and isn't contained by anti-virus software, does that mean it gets downloaded from the internet during the boot process and somehow changes the (BIOS) firmware? I'd like to see an explanation written for end users, not for computer programmers.