CVE-2023-40238

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions prior to 5.28.47, 5.37.47, 5.45.47, 5.53.47, and 5.60.47

Description A LogoFAIL issue exists in the BmpDecoderDxe component of Insyde InsydeH2O. This flaw allows for the execution of data copying to a specific memory address during the DXE phase of UEFI execution when parsing crafted BMP logo files. The root cause is an integer signedness error involving the PixelHeight and PixelWidth variables during RLE4/RLE8 compression. The Bootkitty bootkit, the first UEFI bootkit targeting Linux systems, exploits this LogoFAIL vulnerability (CVE-2023-40238) to bypass security protections on vulnerable devices, including those from Acer, HP, Fujitsu, and Lenovo. The bootkit aims to disable kernel signature verification and preload malicious ELF binaries during the Linux initialization process. It achieves this by intercepting UEFI authentication protocols and modifying GRUB functions to circumvent integrity checks. The Bootkitty prototype is currently focused on Acer, HP, Fujitsu, and Lenovo devices, with Lenovo devices using Insyde firmware being particularly vulnerable.

Recommendations Update Insyde InsydeH2O to version 5.28.47 or later. Update Insyde InsydeH2O to version 5.37.47 or later. Update Insyde InsydeH2O to version 5.45.47 or later. Update Insyde InsydeH2O to version 5.53.47 or later. Update Insyde InsydeH2O to version 5.60.47 or later.