Update: LogoFAIL Exploited to Deploy Bootkitty, the first UEFI bootkit for Linux

Binarly researchers disclosed Bootkitty, a prototype UEFI bootkit that exploits the LogoFAIL BMP parsing vulnerabilities (CVE-2023-40238) to execute embedded shellcode and inject rogue certificates into the MokList, enabling Secure Boot bypass and Linux kernel infection. The report links Bootkitty to tampered BMP files and a bootkit payload (bootkit.efi), and identifies vulnerable Insyde-based firmware present on many Lenovo (and other vendor) devices. #Bootkitty #LogoFAIL

Keypoints

Bootkitty is a UEFI bootkit prototype capable of infecting the Linux kernel and was uploaded to VirusTotal, showing a shift of bootkit threats toward Linux.
The exploit chain leverages LogoFAIL image parsing vulnerabilities (CVE-2023-40238) to run embedded shellcode inside a malicious BMP (logofail.bmp).
The shellcode sets the MokList UEFI variable with a rogue certificate (matching the certificate in bootkit.efi) to bypass Secure Boot and allow the malicious bootloader to be trusted.
Attackers exploit an arbitrary write in the Insyde BmpDecoderDxe module (BRLY-LOGOFAIL-2023-002) to patch a trampoline into code that jumps to BMP-embedded shellcode, then restore original instructions to hide activity.
Binarly identified firmware modules compatible with the exploit across hundreds of Acer, HP, Fujitsu and Lenovo images; further string analysis and NVRAM variable usage narrows likely targets to specific Lenovo models.
Insyde issued a patch that mitigates the vulnerability, but many devices remain unpatched in the field and thus potentially vulnerable to the full Bootkitty chain.

MITRE Techniques

[T1542] Bootkit / Pre‑OS Boot – Bootkitty is described as “a prototype UEFI bootkit capable of infecting the Linux kernel” and executes before OS load to persist and modify boot behavior. [‘Bootkitty is a prototype UEFI bootkit capable of infecting the Linux kernel.’]
[T1203] Exploitation for Client Execution – The chain exploits the LogoFAIL BMP parsing vulnerability (CVE-2023-40238) to execute shellcode embedded in a tampered BMP. [‘Bootkitty exploits a LogoFAIL image parsing vulnerabilities … The Bootkitty LOGOfail exploit enables the execution of malicious shellcode through tampered BMP files in UEFI firmware.’]
[T1553] Subvert Trust Controls – The shellcode writes a rogue certificate into the MokList UEFI variable so shim will trust the malicious bootloader, effectively subverting Secure Boot. [‘the shellcode is setting the MokList variable with some rogue content … it matches the certificate extracted from WinCertificate data of bootkit.efi’]

Indicators of Compromise

[File name] Malicious payloads and samples – logofail.bmp (16MB malicious BMP containing shellcode), logofail_fake.bmp (benign comparison), bootkit.efi (malicious UEFI loader)
[Kernel modules / binaries] Rootkit components – dropper.ko, rootkit_loader.ko (kernel rootkit samples referenced by researchers)
[NVRAM variables / paths] Bootkit configuration and persistence – MokList (targeted for rogue certificate injection), LBLDVC and LBLDESP (logo-related NVRAM variables used by bootkit), EFIlenovologomylogo_1920x1080.bmp (logo path referenced)
[Firmware module] Vulnerable module identifier – BmpDecoderDxe (Insyde module exploited by LogoFAIL; compatible module signatures found in many firmware images)
[Sample locations / repositories] Sample availability context – uploaded to VirusTotal and an open directory containing logofail.bmp and bootkit samples (server was reachable briefly; samples downloaded by researchers)