Students from Korea’s Best of the Best (BoB) cybersecurity training program have developed the BootKitty malware, the first proof-of-concept UEFI bootkit targeting Linux systems. The project demonstrates how the LogoFAIL vulnerability (CVE-2023-40238) could be exploited to bypass Secure Boot protections on Linux machines.
The proof-of-concept works by embedding shellcode in BMP files to exploit an out-of-bounds write vulnerability during boot, allowing the injection of unauthorized certificates to load a malicious bootloader. While currently limited to specific Ubuntu versions and primarily tested on Lenovo devices with Insyde firmware, the research highlights potential risks for unpatched systems from various manufacturers including Acer, HP, and Fujitsu.
Though BootKitty is not an active threat, it demonstrates the importance of applying firmware updates and implementing security measures like:
– Enabling Secure Boot
– Password-protecting UEFI/BIOS settings
– Controlling physical device access
– Using only official firmware updates
This academic project serves as a valuable demonstration of UEFI security concepts and underscores the importance of addressing firmware vulnerabilities promptly.