• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
HP Recommended
HP ENVY x360 15.6 inch 2-in-1 Laptop PC 15-eu0000 (267R8AV)

Hi All, I am looking for an update from HP that addresses the LogoFAIL security vulnerability (CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238). The HP Support Assistant app tells me that there are no updates available (has been like this for months now), however the Hewlett Packard support website did have a more recent BIOS version available (F.13 Rev. A) which I have installed, but there are no associated release notes as far as I can see. The vulnerability seems particularly serious as it is pre-OS and bypasses all boot security measures, so am keen to get this patched as soon as possible.


So 2 questions: has HP released any updates to address LogoFAIL, and if so is BIOS Update F.13 Rev.A it?

 

Many thanks

 

[Note: I have a HP Envy x360 Laptop, in support until 2025]

[UPDATE 16-Dec-23: Contacted HP Support through WhatsApp, they tried their best (very slowly, over 3 days) but haven't even heard of the issue and gave up, pointing me instead to telephone tech support - I'll chase up after the weekend to see if I can get an answer and let everyone know here]

[UPDATE 18-Dec-23 I spoke with tech support in the UK and they were unaware of the issue and unable to help - although did offer to reset my laptop and put me in touch with Microsoft - neither of which have anything to do with the security vulnerability 🙂 . I tried asking to escalate, they claimed there was nothing else they could do, but then offered a call-back with a different tech support agent. This hasn't happened yet, @HP Moderators - anything you can do?
[UPDATE 19-Dec-23] The promised call back from HP didn't happen, so I did a little more investigation. I am not a cyber security expert, but this resource looks really useful as it highlights the position of each of the vendors/manufacturers : VU#811862 - Image files in UEFI can be abused to modify boot behavior (cert.org). At time of posting this, HP have either not investigated this issue, or have not yet shared the results/a plan for resolution. (unlike others: BIOS Image Parsing Function Vulnerabilities (LogoFAIL) - Lenovo Support US)

[UPDATE 20-Dec-23]  I have found the HP Site where the security update should be announced (https://support.hp.com/gb-en/security-bulletins) there are some UEFI related ones in there already, but no confirmation they specifically address Logo FAIL. There is an enterprise announcement, however: Hewlett Packard Enterprise Critical Product Security Vulnerability Alerts (hpe.com), so perhaps the consumer device side of the business will follow soon. Fingers crossed!
[UPDATE 10-Jan-24]  a month since I posted this and still nothing from HP. I have found out indirectly that AMI  (the Independent BIOS Vendor who supplies HP for my HP manufactured motherboard) have released an update to address LogoFAIL, it is HP's responsibility to update the BIOS for my laptop - COME ON HP!

11 REPLIES 11
HP Recommended

My experience trying to interact with HP support on this topic has been pretty much the same. Support has no clue, have never heard of the vulnerability, and the Level 1 tech support woman I spoke to (very nice but clueless) offered to escalate which only resulted in my getting a generic email with the same  security bulletins link which as ScootJ noted as no mention of this particular vulnerability. Lucky for us, only ~15% of our inventory is HP (rest is Lenovo, and they are ON TOP of this), and we are definitely NOT buying any more. Major FAIL HP!

HP Recommended

I believe  Logofail was only discovered  or the vulnerability made public in early  December.  Anything issued  prior to that won't address  it.  Fwiw, Asus issued  BIOS updates for many of their current  motherboards on Dec 28th.  I have an HP Pavilion but I'm not holding my breath for a timely  BIOS update. 

HP Recommended

Security researchers Binarly went public on the 29th Nov 23, LogoFAIL looks to be an umbrella term for a number of specific but related vulnerabilities, no doubt discovered over a number of months. Binarly's article implies suppliers were alerted well before November 29th (The Far-Reaching Consequences of LogoFAIL | Binarly – AI -Powered Firmware Supply Chain Security Pla...). I am not expecting an immediate fix as HP BIOSs are supplied by AMI (one of the affected 'IBV's) - so HP will largely be dependent on them to sort it. However, given the nature and impact of the issue, I do expect an immediate and proactive response from HP confirming whether this is indeed a vulnerability we should be concerned about, and a rough timescale for a fix. I.e. pull your finger out HP and issue some authoritative comms around this!

HP Recommended

I don't disagree with that!  Btw, I'm pretty sure my HP laptop BIOS is from Insyde, not AMI.

HP Recommended

I just got a BIOS update today (and mine is from Insyde.)  F.24 is dated 11/2/2023.  Maybe HP is on top of this after all!

HP Recommended

interesting, I had a BIOS update dated 05-Sep-2023 - may have fixed the problem too, but no associated release notes shared so I can't tell. In the absence of any comms from HP I'd rather assume the worse in situations like this.

HP Recommended

My BIOS update had this description on the HP site:   Provides improved security of UEFI code. NOTE: HP strongly recommends promptly transitioning to this updated BIOS version which supersedes all previous releases.  That sure sounds like it's the Logofail fix to me.

HP Recommended

Looks like there's a new security update from HP: AMD Client UEFI Firmware November 2023 Security Update | HP® Customer Support. It is EUFI related, but doesn't appear to address the CVEs under the LogoFAIL umbrella, and doesn't mention LogoFAIL. Also says 'Consumer Notebook PCs' are 'Under investigation'. So unfortunately none the wiser right now - back to waiting ....

HP Recommended

When you search for "logofail" in the "knowledge library" the only hits are this thread and others asking for a status update. 

 

It's still unclear to me how this vulnerability is exploited on a home PC.  The articles about it say no physical access to the computer is required which implies it must be introduced via the internet.  Since it can bypass secure boot protections and isn't contained by anti-virus software, does that mean it gets downloaded from the internet during the boot process and somehow changes the (BIOS) firmware?  I'd like to see an explanation written for end users, not for computer programmers.

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.