The recently Uncovered ‘Bootkitty’ Linux UEFI bootkit exploits the LogoFAIL flaw, tracked as CVE-2023-40238, to target computers running on vulnerable Firmware.
Firmware security firm Binarly confirmed this, having discovered LogoFAIL in November 2023 and warned about its potential use in actual attacks.
Bootkitty and LogoFAIL connection
SET discovered Bootkitty and published a report last week, noting that it is the first UEFI bootkit specifically targeting Linux. However, at this time, it functions more as an in-development UEFI malware that only works on specific Ubuntu versions, rather than posing a widespread threat.
LogoFAIL represents a set of flaws in the image-parsing code of UEFI Firmware images used by various hardware vendors. Malicious images or logos planted on the EFI System Partition (ESP) can exploit these vulnerabilities.
“When these images are parsed during boot, attackers can trigger the vulnerability to execute a payload that hijacks the execution flow and bypasses security features like Secure Boot, including hardware-based Verified Boot mechanisms,” Binarly previously explained.
Binarly’s latest report reveals that Bootkitty embeds shellcode within BMP files (‘logofail.bmp‘ and ‘logofail_fake.bmp‘) to bypass Secure Boot protections by Injecting rogue Certifications into the MokList variant.
Malicious image files
Source: Binarly
The ‘logofail.bmp’ file embeds shellcode at its end, and a negative height value (0xfffffd00) triggers the out-of-bounds write vulnerability during parsing.
Attackers replace the legitimate MokList with a rogue certificate, effectively authorizing a malicious bootloader (‘bootkit.efi’).
After diverting execution to the shellcode, Bootkitty restores the original instructions in overwritten memory locations within the vulnerable function (RLE8ToBlt), erasing any obvious signs of tampering.
Bootkitty attack overview
Source: Binarly
Impact on specific hardware
Binarly explains that Bootkitty could impact any device not yet patched against LogoFAIL, but its current shellcode targets specific firmware modules found on Acer, HP, Fujitsu, and Lenovo computers.
The researchers analyzed the bootkit.efi file and identified Lenovo devices based on Insyde as the most susceptible, noting that Bootkitty references specific variable names and paths used by this brand. However, they suggest that the developer might be testing the bootkit on their own laptop and could add support for more devices in the future.
Some widely used devices with firmware still vulnerable to LogoFAIL exploits include the IdeaPad Pro 5-16IRH8, Lenovo IdeaPad 1-15IRU7, Lenovo Legion 7-16IAX7, Lenovo Legion Pro 5-16IRX8, and Lenovo Yoga 9-14IRP8.
“It’s been more than a year since we first sounded the alarm about LogoFAIL, yet many affected parties remain vulnerable to one or more variants of these vulnerabilities,” warns Binarly.
“Bootkitty is a stark reminder of the consequences when these vulnerabilities are not adequately addressed or when fixes are not properly deployed to devices in the field.”
If no security updates are available to mitigate the LogoFAIL risk, users should limit physical access, enable Secure Boot, password-protect UEFI/BIOS settings, disable booting from external media, and only download firmware updates from the OEM’s official website.
Update 12/2/24: ESET updated its original BootKitty article today, revealing that cybersecurity students in Korea’s Best of the Best (BoB) training program created the project.
“The primary goal of this project is to raise awareness within the security community about potential risks and encourage proactive measures to prevent similar threats,” the program explained to ESET.
“Unfortunately, few bootkit samples were disclosed before the planned conference presentation.”
Source: BleepingComputer, Bill Toulas
