Replace added under about this bootkit being created by college students in Korea’s Better of the Greatest (BoB) cybersecurity coaching program.
The lately uncovered ‘Bootkitty’ Linux UEFI bootkit exploits the LogoFAIL flaw, tracked as CVE-2023-40238, to focus on computer systems operating on susceptible firmware.
That is confirmed by firmware safety agency Binarly, which found LogoFAIL in November 2023 and warned about its potential for use in precise assaults.
Bootkitty and LogoFAIL connection
Bootkitty was found by ESET, who revealed a report final week, noting that it’s the first UEFI bootkit particularly focusing on Linux. Nevertheless, presently, it’s extra of an in-development UEFI malware that solely works on particular Ubuntu variations, reasonably than a widespread menace.
LogoFAIL is a set of flaws within the image-parsing code of UEFI firmware photographs utilized by numerous {hardware} distributors, exploitable by malicious photographs or logos planted on the EFI System Partition (ESP).
“When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms,” defined Binarly beforehand.
In line with Binarly’s newest report, Bootkitty embeds shellcode inside BMP recordsdata (‘logofail.bmp’ and ‘logofail_fake.bmp’) to bypass Safe Boot protections by injecting rogue certifications into the MokList variant.
Supply: Binarly
The ‘logofail.bmp’ file embeds shellcode at its finish, and a adverse peak worth (0xfffffd00) triggers the out-of-bounds write vulnerability throughout parsing.
The reputable MokList is changed with a rogue certificates, successfully authorizing a malicious bootloader (‘bootkit.efi’).
After diverting execution to the shellcode, Bootkitty restores overwritten reminiscence areas within the susceptible operate (RLE8ToBlt) with unique directions, so any indicators of apparent tampering are erased.
Supply: Binarly
Affect on particular {hardware}
Binarly says Bootkitty might influence any gadget that has not been patched towards LogoFAIL, however its present shellcode expects particular code utilized in firmware modules discovered on Acer, HP, Fujitsu, and Lenovo computer systems.
The researcher’s evaluation of the bootkit.efi file decided that Lenovo gadgets primarily based on Insyde are probably the most inclined, as Bootkitty references particular variable names and paths utilized by this model. Nevertheless, this might point out that the developer is simply testing the bootkit on their very own laptop computer and can add help for a broader vary of gadgets later.
Some broadly used gadgets whose newest firmware continues to be susceptible to LogoFAIL exploits embody IdeaPad Professional 5-16IRH8, Lenovo IdeaPad 1-15IRU7, Lenovo Legion 7-16IAX7, Lenovo Legion Professional 5-16IRX8, and Lenovo Yoga 9-14IRP8.
“It’s been more than a year since we first sounded the alarm about LogoFAIL and yet, many affected parties remain vulnerable to one or more variants of the LogoFAIL vulnerabilities,” warns Binarly.
“Bootkitty serves as a stark reminder of the consequences of when these vulnerabilities are not adequately addressed or when fixes are not properly deployed to devices in the field.”
Should you’re utilizing a tool with no obtainable safety updates to mitigate the LogoFAIL danger, restrict bodily entry, allow Safe Boot, password-protect UEFI/BIOS settings, disable boot from exterior media, and solely obtain firmware updates from the OEM’s official web site.
Replace 12/2/24: ESET up to date their unique BootKitty article in the present day, stating that the mission was created by cybersecurity college students in Korea’s Better of the Greatest (BoB) coaching program.
“The primary aim of this project is to raise awareness within the security community about potential risks and to encourage proactive measures to prevent similar threats,” this system advised ESET.
“Unfortunately, few bootkit samples were disclosed prior to the planned conference presentation.”Â
