CVE-2023-40238
published 2023-12-07CVE-2023-40238: A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before…
PriorityP278medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.86%
76.6th percentile
A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.
Affected
187 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fujitsu | celsius_c780_firmware | < 1.28.0 | 1.28.0 |
| fujitsu | celsius_h5511_firmware | < 1.16 | 1.16 |
| fujitsu | celsius_h7510_firmware | < 1.17 | 1.17 |
| fujitsu | celsius_h7613_firmware | < 1.14 | 1.14 |
| fujitsu | celsius_h780_firmware | < 1.23 | 1.23 |
| fujitsu | celsius_j5010_firmware | < 1.64.0 | 1.64.0 |
| fujitsu | celsius_j550_2_firmware | < 1.35.0 | 1.35.0 |
| fujitsu | celsius_j580_firmware | < 1.38.0 | 1.38.0 |
| fujitsu | celsius_m7010_firmware | < 1.12.0 | 1.12.0 |
| fujitsu | celsius_m7010power_firmware | < 1.12.0 | 1.12.0 |
| fujitsu | celsius_m7010x_firmware | < 1.06.0 | 1.06.0 |
| fujitsu | celsius_m7010xpower_firmware | < 1.06.0 | 1.06.0 |
| fujitsu | celsius_r970_firmware | < 1.14.0 | 1.14.0 |
| fujitsu | celsius_r970b_firmware | < 1.14.0 | 1.14.0 |
| fujitsu | celsius_r970bpower_firmware | < 1.14.0 | 1.14.0 |
| fujitsu | celsius_w5010_firmware | < 1.64.0 | 1.64.0 |
| fujitsu | celsius_w5010_l_firmware | < 1.64.0 | 1.64.0 |
| fujitsu | celsius_w5011_firmware | < 1.31.0 | 1.31.0 |
| fujitsu | celsius_w5012-ll_firmware | < 3.08.0 | 3.08.0 |
| fujitsu | celsius_w5012_firmware | < 3.08.0 | 3.08.0 |
| fujitsu | celsius_w570_firmware | < 1.35.0 | 1.35.0 |
| fujitsu | celsius_w570power_+_firmware | < 1.35.0 | 1.35.0 |
| fujitsu | celsius_w570power_firmware | < 1.35.0 | 1.35.0 |
| fujitsu | celsius_w580_firmware | < 1.38.0 | 1.38.0 |
| fujitsu | celsius_w580power_+_firmware | < 1.38.0 | 1.38.0 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PixelHeight negative value: 0xfffffd00
- →Monitor the EFI System Partition (ESP) for unexpected or newly written BMP files, particularly those named 'logofail.bmp' or 'logofail_fake.bmp', which are used to embed shellcode for exploitation during UEFI boot. ↗
- →Detect BMP logo files with a negative PixelHeight value (e.g., 0xfffffd00) on the ESP; this is the trigger for the out-of-bounds write in the vulnerable RLE8ToBlt function during DXE phase parsing. ↗
- →Monitor the MokList UEFI variable for unauthorized modifications or replacement with a rogue certificate, which is the persistence mechanism used by Bootkitty to authorize a malicious bootloader. ↗
- →Look for the presence of 'bootkit.efi' on the EFI System Partition as an indicator of a completed Bootkitty compromise. ↗
- →After shellcode execution, Bootkitty restores overwritten memory in RLE8ToBlt to erase tampering evidence; forensic analysis should focus on UEFI memory integrity and MokList state rather than relying solely on runtime function hooks. ↗
- →The exploit targets the DXE phase of UEFI execution via image parsing in BmpDecoderDxe; detection tooling should inspect UEFI DXE driver loading and BMP parsing activity during pre-OS boot. ↗
- ·The exploit is triggered specifically via RLE4/RLE8 compressed BMP files with an integer signedness error in PixelHeight/PixelWidth; only BMP files using these compression types on the ESP are relevant attack vectors. ↗
- ·Bootkitty's current shellcode is hardcoded for specific firmware modules found on Acer, HP, Fujitsu, and Lenovo devices; Lenovo devices based on Insyde firmware are considered most susceptible due to specific variable names and paths referenced. ↗
- ·Bootkitty currently only works on specific Ubuntu versions and is considered in-development malware rather than a widespread threat, but the underlying LogoFAIL vulnerability affects a broad range of unpatched devices. ↗
- ·The vulnerability is exploitable via malicious images or logos planted on the EFI System Partition (ESP), meaning physical or OS-level write access to the ESP is a prerequisite for exploitation. ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5rp3-83j5-w2g4: A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5
ghsa_unreviewed·2023-12-07
CVE-2023-40238 [MEDIUM] CWE-312 GHSA-5rp3-83j5-w2g4: A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5
A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.
VulnCheck
fujitsu esprimo_d556\/2_firmware Cleartext Storage of Sensitive Information
vulncheck·2023·CVSS 5.5
CVE-2023-40238 [MEDIUM] fujitsu esprimo_d556\/2_firmware Cleartext Storage of Sensitive Information
fujitsu esprimo_d556\/2_firmware Cleartext Storage of Sensitive Information
A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.
Affected: fujitsu esprimo_d556\/2_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.binarly.io/blog/logofail-exploite
Palo Alto
PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin
vendor_paloalto·2025-01-23·CVSS 8.2
[HIGH] PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin
PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin
Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls. It is not possible for malicious actors or PAN-OS administrators to exploit these vulnerabilities under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines . Users and administrators do not have access to the BIOS firmware or permissions to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit these vulnerabilities. These vulnerabilities themselves do not allow an at
No detection rules found.
No public exploits indexed.
https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.htmlhttps://security.netapp.com/advisory/ntap-20240105-0002/https://www.insyde.com/security-pledgehttps://www.insyde.com/security-pledge/SA-2023053https://www.kb.cert.org/vuls/id/811862https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.htmlhttps://security.netapp.com/advisory/ntap-20240105-0002/https://www.insyde.com/security-pledgehttps://www.insyde.com/security-pledge/SA-2023053https://www.kb.cert.org/vuls/id/811862
2023-12-07
Published
Exploited in the wild