A new form of UEFI malware, named BootKitty, has been discovered targeting Linux systems by exploiting a serious vulnerability known as LogoFAIL. Tracked under CVE-2023-40238, the flaw impacts vulnerable UEFI firmware and has been identified by firmware security firm Binarly. First reported in November 2023, the LogoFAIL vulnerability has raised concerns due to its potential for exploitation in actual cyberattacks.
BootKitty and the LogoFAIL Vulnerability
Discovered by ESET, BootKitty is the first known UEFI bootkit aimed at Linux systems, specifically exploiting the LogoFAIL vulnerability. While it is still under development and not yet a widespread threat, this bootkit can target certain versions of Ubuntu. This makes it a critical concern for Linux users running vulnerable firmware.
LogoFAIL is a set of flaws found within the image-parsing code of UEFI firmware, which is used by a variety of hardware vendors. These flaws can be exploited through malicious images or logos placed on the EFI System Partition (ESP). When the system boots and attempts to parse these images, the vulnerability can be triggered, allowing attackers to execute arbitrary payloads. This enables attackers to hijack the system’s execution flow, bypass Secure Boot protections, and evade hardware-based security mechanisms like Verified Boot.
Binarly explains that BootKitty leverages these vulnerabilities by embedding shellcode into BMP files, specifically logofail.bmp and logofail_fake.bmp. These files allow the malware to bypass Secure Boot defenses by injecting rogue certifications into the MokList variant. The image file’s embedded shellcode triggers an out-of-bounds write vulnerability, which is exploited when the system parses the BMP images.
How BootKitty Operates
The logofail.bmp file contains shellcode at its end. A negative height value (0xfffffd00) within the file triggers the out-of-bounds write vulnerability during the parsing process. As a result, the legitimate MokList is replaced with a rogue certificate, effectively authorizing a malicious bootloader—bootkit.efi—to load during the system’s startup sequence.
After gaining control of the system, BootKitty performs a memory restoration operation to erase any signs of tampering. It does so by overwriting specific memory locations in the vulnerable function (RLE8ToBlt) with the original instructions, effectively removing traces of the malware’s presence.
Impact on Affected Hardware
While BootKitty could impact any device vulnerable to LogoFAIL, its current shellcode is designed to exploit specific firmware modules found on devices from manufacturers such as Acer, HP, Fujitsu, and Lenovo. According to Binarly’s analysis, Lenovo devices based on Insyde firmware are especially susceptible to the malware. These devices include popular models such as the Lenovo IdeaPad Pro 5-16IRH8, Lenovo IdeaPad 1-15IRU7, Lenovo Legion 7-16IAX7, Lenovo Legion Pro 5-16IRX8, and Lenovo Yoga 9-14IRP8.
Researchers suggest that BootKitty may have been tested on a specific Lenovo laptop and could be expanded to target additional devices in future versions of the malware. Despite the awareness surrounding LogoFAIL, many devices remain unpatched, leaving them vulnerable to this and other similar attacks.
The Urgency of Addressing LogoFAIL
Binarly has emphasized that it has been over a year since the initial warning about LogoFAIL, yet many systems remain unprotected. The emergence of BootKitty serves as a stark reminder of the serious consequences that can arise when vulnerabilities are left unaddressed, or when security updates are not properly deployed.
For users with devices that lack available security patches to mitigate the LogoFAIL vulnerability, Binarly recommends several steps to reduce the risk of exploitation. These include:
- Limiting physical access to the device
- Enabling Secure Boot
- Password-protecting UEFI/BIOS settings
- Disabling boot from external media
- Ensuring firmware updates are only downloaded from the official manufacturer website
A Student-Driven Project
In an updated report released on December 2, 2024, ESET revealed that BootKitty was developed by students participating in South Korea’s Best of the Best (BoB) cybersecurity training program. The primary goal behind the project, according to the program, was to raise awareness within the cybersecurity community about the risks posed by UEFI vulnerabilities like LogoFAIL. The students aim to highlight the importance of proactive measures to defend against such threats, reinforcing the need for heightened vigilance and timely security updates.
Conclusion
The discovery of BootKitty highlights the ongoing risks posed by the LogoFAIL vulnerability and other firmware-based security flaws. As UEFI malware becomes more sophisticated, Linux users, especially those on vulnerable devices, should prioritize securing their systems by updating firmware and applying recommended security measures. The emergence of BootKitty serves as a critical reminder that attackers are continuously developing new methods to exploit known vulnerabilities, making it crucial for both individuals and organizations to stay ahead of these threats through proactive cybersecurity practices.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical Flaws Found in Advantech Industrial Wi-Fi Access Points