BootKitty UEFI Malware Exploits LogoFAIL Flaw to Target Linux Systems

December 2, 2024

The 'Bootkitty' Linux UEFI bootkit, a recently discovered malware, leverages the LogoFAIL vulnerability, also known as CVE-2023-40238, to target vulnerable firmware on computers. This information has been confirmed by Binarly, a firm specializing in firmware security. They initially identified the LogoFAIL flaw in November 2023 and warned about its potential for exploitation in real-world attacks.

ESET, a cybersecurity firm, discovered Bootkitty and published a report on it last week. They noted that Bootkitty is the first UEFI bootkit specifically designed to target Linux. However, at present, it is more of an under-development malware that only works on certain Ubuntu versions.

LogoFAIL represents a series of vulnerabilities in the image-parsing code of UEFI firmware images, which are used by various hardware manufacturers. These vulnerabilities can be exploited by malicious images or logos placed on the EFI System Partition (ESP). As Binarly explained, "When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms."

According to Binarly's latest analysis, Bootkitty embeds malicious code within BMP files to bypass Secure Boot protections. It does this by injecting rogue certifications into the MokList variant. After diverting execution to the malicious code, Bootkitty restores the overwritten memory locations in the vulnerable function with original instructions, effectively erasing any signs of tampering.

Currently, Bootkitty could potentially affect any device that hasn't been patched against LogoFAIL. Its current malicious code expects specific code used in firmware modules found on Acer, HP, Fujitsu, and Lenovo computers. Binarly's analysis of the bootkit.efi file determined that Lenovo devices based on Insyde are the most susceptible. This is because Bootkitty references specific variable names and paths used by this brand. However, this could also indicate that the developer is merely testing the bootkit on their own laptop and may add support for a wider range of devices in the future.

Despite the warning signs about LogoFAIL over a year ago, many affected parties remain vulnerable to one or more variants of the LogoFAIL vulnerabilities. As Binarly warns, "Bootkitty serves as a stark reminder of the consequences of when these vulnerabilities are not adequately addressed or when fixes are not properly deployed to devices in the field." To mitigate the LogoFAIL risk, users should limit physical access, enable Secure Boot, password-protect UEFI/BIOS settings, disable boot from external media, and only download firmware updates from the OEM's official website.

Latest News

• Critical Authentication Flaw in ProjectSend Exploited by Hackers
• Russian Hacker 'Matrix' Builds Powerful DDoS Botnet Using Publicly Available Tools
• NachoVPN: New Attack Strategy Exploits VPN Vulnerabilities for Malicious Activities
• Russian APT 'RomCom' Exploits Zero-Day Vulnerabilities in Firefox, Tor
• GhostSpider: New Addition to Salt Typhoon's Malware Toolkit