Bootkitty UEFI Hack Targets Lenovo Devices

Binarly Confirms UEFI Bootkitty Exploits Logofail Vulnerability
Binarly has confirmed that the newly discovered UEFI Butkit for Linux, known as “Bootkitty,” utilizes Logofail’s vulnerability to target computers with susceptible firmware. The CVE-2023-40238 vulnerability, identified in November 2023, is linked to the processing of images in the firmware and enables hackers to circumvent protective measures like Secure Boot. ESET, the original documenter of Butkin, has clarified that Bootkitty was created by students from the Best of the Best (BOB) cybersecurity program in Korea. The initiative aims to draw attention to the risks posed by vulnerabilities in UEFI and promote efforts to prevent them. However, the developers have acknowledged that some of the Prudit samples were disclosed earlier than planned at a conference. Logofail comprises a series of vulnerabilities discovered in the UEFI firmware image processing code. These flaws allow attackers to insert harmful images or logos into the EFI System Partition (ESP) and consequently hijack the booting process. The malicious file logofail.bmp contains a shell-code inserted at the end of the image, using a negative height value that causes the vulnerability record to appear outside the boundaries during parsing. This mechanism enables hackers to replace certificate lists that authorize malicious bootloaders. Devices that have not been updated to protect against Logofail are susceptible to Bootkitty attacks. Researchers have identified Lenovo devices, particularly those using Insyde modules in their firmware, as the most vulnerable. ESET, however, suggests that the developer is conducting tests on their own equipment and may extend support to a broader range of devices in the future. Notable vulnerable models include the Lenovo Ideapad Pro 5-16irh8, Lenovo Legion 7-16iax7, and Lenovo Yoga 9-14irp8. Despite over a year passing since Logofail was discovered, several manufacturers are yet to release patches. Users of devices without available updates are advised to restrict physical access, enable Secure Boot, safeguard UEFI/BIOS settings with a password, disable booting from external media, and exclusively download firmware updates from the official websites of manufacturers.

Binarly Confirms UEFI Bootkitty Exploits Logofail Vulnerability

Binarly has confirmed that the newly discovered UEFI Butkit for Linux, known as “Bootkitty,” utilizes Logofail’s vulnerability to target computers with susceptible firmware. The CVE-2023-40238 vulnerability, identified in November 2023, is linked to the processing of images in the firmware and enables hackers to circumvent protective measures like Secure Boot.

ESET, the original documenter of Butkin, has clarified that Bootkitty was created by students from the Best of the Best (BOB) cybersecurity program in Korea. The initiative aims to draw attention to the risks posed by vulnerabilities in UEFI and promote efforts to prevent them. However, the developers have acknowledged that some of the Prudit samples were disclosed earlier than planned at a conference.

Logofail comprises a series of vulnerabilities discovered in the UEFI firmware image processing code. These flaws allow attackers to insert harmful images or logos into the EFI System Partition (ESP) and consequently hijack the booting process.

The malicious file logofail.bmp contains a shell-code inserted at the end of the image, using a negative height value that causes the vulnerability record to appear outside the boundaries during parsing. This mechanism enables hackers to replace certificate lists that authorize malicious bootloaders.

Devices that have not been updated to protect against Logofail are susceptible to Bootkitty attacks. Researchers have identified Lenovo devices, particularly those using Insyde modules in their firmware, as the most vulnerable. ESET, however, suggests that the developer is conducting tests on their own equipment and may extend support to a broader range of devices in the future.

Notable vulnerable models include the Lenovo Ideapad Pro 5-16irh8, Lenovo Legion 7-16iax7, and Lenovo Yoga 9-14irp8. Despite over a year passing since Logofail was discovered, several manufacturers are yet to release patches.

Users of devices without available updates are advised to restrict physical access, enable Secure Boot, safeguard UEFI/BIOS settings with a password, disable booting from external media, and exclusively download firmware updates from the official websites of manufacturers.

/Reports, release notes, official announcements.