Researchers have discovered malicious code circulating in the wild that hijacks the early boot process of Linux devices by exploiting an unpatched firmware vulnerability known as LogoFAIL. The exploit, which is production-ready and reliable, could pose a threat to users in the coming weeks or months.
LogoFAIL was previously considered theoretical, but its potential for exploitation has been realized. Binarly, a firm that identifies and secures vulnerable firmware, discovered the malicious code on an internet-connected web server. Although there are no indications that the public exploit is being actively used, it poses a significant threat due to its polished nature.
The ultimate objective of the exploit is to install Bootkitty, a Linux bootkit reported by ESET researchers. The exploit injects code into the UEFI firmware by exploiting image-parsing bugs in the LogoFAIL constellation. Binarly’s discovery highlights the importance of timely patching and securing vulnerable firmware, as this exploit could be easily adopted by threat actors.
It is essential for users to check if their devices are affected by the LogoFAIL vulnerability and consider updating or patching the firmware to mitigate the risk.
Source: https://arstechnica.com/security/2024/11/code-found-online-exploits-logofail-to-install-bootkitty-linux-backdoor