A groundbreaking security threat, dubbed Bootkitty, has emerged as the first UEFI bootkit specifically targeting Linux systems. Discovered by students from Korea’s Best of the Best (BoB) cybersecurity program, this malware exploits the LogoFAIL vulnerability (CVE-2023-40238) in UEFI firmware.
The bootkit operates by manipulating image-parsing code vulnerabilities through malicious BMP files. It successfully circumvents Secure Boot protection by injecting unauthorized certificates into the MokList and executing a malicious bootloader.
Primary targets include Lenovo devices with Insyde firmware, with potential risks extending to Acer, HP, and Fujitsu computers. Vulnerable models encompass various IdeaPad, Legion, and Yoga series devices, particularly affecting specific Ubuntu versions.
To protect against this threat, users should:
• Install all security updates promptly
• Maintain active Secure Boot
• Implement UEFI/BIOS password protection
• Disable external media boot capabilities
• Use only verified OEM firmware updates
• Restrict physical access to devices
This sophisticated attack demonstrates the evolving landscape of firmware-level threats, particularly in Linux environments.