HQ/EMEAFind out how we can help your business
The newly discovered UAFI bootkit malware dubbed BootKitty uses CVE-2023-4023 (LogoFAIL) to target Linux-based devices.
Reports revealed that the BootKitty malware that emerged last week is the first UEFI bootkit that targets Linux devices. However, it is currently an in-development UEFI malware that exclusively affects specific Ubuntu versions.
On the other hand, the LogoFAIL flaw is a collection of misconfigurations in the image-parsing code of UEFI firmware images used by various hardware manufacturers. Moreover, threat actors can use malicious graphics or logos to exploit the EFI System Partition (ESP).
Once the compromised devices process these pictures during boot, the vulnerability can be exploited, allowing an attacker-controlled payload to hijack the execution flow and bypass security protections arbitrarily.
The BootKitty malware uses a shell code to avoid security detection.
According to investigations, the BootKitty malware campaign attaches shellcode within BMP files to bypass the Secure Boot safeguards and injects rogue certificates into the MokList version.
The ‘logofail.bmp’ file contains a shellcode at the conclusion, and a negative height value activates the out-of-bounds write vulnerability during parsing. In addition, the valid MokList is replaced with a bogus certificate, which effectively authorises a malicious bootloader.
Subsequently, Bootkitty replaces overwritten memory addresses in the vulnerable function with the original instructions after diverting execution to the shellcode. This process also eliminates any evident tampering.
The new UEFI bootkit might affect any device that has employed the update that would address LogoFAIL. However, its present shellcode requires specific code from firmware modules found in Acer, HP, Fujitsu, and Lenovo laptops.
The researcher’s investigation of the bootkit.efi file revealed that Lenovo devices based on Insyde are the most vulnerable, as the malware accesses unique variable names and routes used by the brand.
Still, this could signal that the developer is only testing the bootkit on their laptop and will eventually add support for a broader range of devices.
Users should limit physical access, activate Secure Boot, password-protect UEFI/BIOS settings, disable boot from external media, and only obtain firmware updates from the OEM’s official website to mitigate the impact posed by the LogoFAIL flaw on a system without available security patches.
