The first UEFI bootkit targeting Linux, named “Bootkitty,” exploits a UEFI firmware vulnerability known as “LogoFAIL” (CVE-2023-40238). This bootkit, discovered by Binarly and ESET, utilizes the flaw in the BmpDecoderDxe UEFI module, which mishandles BMP image parsing. The vulnerability allows attackers to inject malicious shellcode that bypasses Secure Boot protections and gains control over the system’s boot process.
Bootkitty is able to infect Linux systems by embedding shellcode within tampered BMP files, which masquerade as boot logos. This shellcode exploits the vulnerability to manipulate the Secure Boot’s MokList variable, thereby enabling the bootkit to load at an early stage of the system boot sequence. It can hide its presence by restoring the original instructions after executing the exploit, making it harder to detect.
Although currently a proof-of-concept rather than an active widespread threat, Bootkitty signals a growing trend of attackers targeting bootloader systems beyond Windows, signaling potential risks for Linux-based systems as well.
Sources: