cbcvebase.
CVE-2023-40238
published 2023-12-07

CVE-2023-40238: A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before…

PriorityP278medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.86%
76.6th percentile
A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.

Affected

187 ranges· showing 25
VendorProductVersion rangeFixed in
fujitsucelsius_c780_firmware< 1.28.01.28.0
fujitsucelsius_h5511_firmware< 1.161.16
fujitsucelsius_h7510_firmware< 1.171.17
fujitsucelsius_h7613_firmware< 1.141.14
fujitsucelsius_h780_firmware< 1.231.23
fujitsucelsius_j5010_firmware< 1.64.01.64.0
fujitsucelsius_j550_2_firmware< 1.35.01.35.0
fujitsucelsius_j580_firmware< 1.38.01.38.0
fujitsucelsius_m7010_firmware< 1.12.01.12.0
fujitsucelsius_m7010power_firmware< 1.12.01.12.0
fujitsucelsius_m7010x_firmware< 1.06.01.06.0
fujitsucelsius_m7010xpower_firmware< 1.06.01.06.0
fujitsucelsius_r970_firmware< 1.14.01.14.0
fujitsucelsius_r970b_firmware< 1.14.01.14.0
fujitsucelsius_r970bpower_firmware< 1.14.01.14.0
fujitsucelsius_w5010_firmware< 1.64.01.64.0
fujitsucelsius_w5010_l_firmware< 1.64.01.64.0
fujitsucelsius_w5011_firmware< 1.31.01.31.0
fujitsucelsius_w5012-ll_firmware< 3.08.03.08.0
fujitsucelsius_w5012_firmware< 3.08.03.08.0
fujitsucelsius_w570_firmware< 1.35.01.35.0
fujitsucelsius_w570power_+_firmware< 1.35.01.35.0
fujitsucelsius_w570power_firmware< 1.35.01.35.0
fujitsucelsius_w580_firmware< 1.38.01.38.0
fujitsucelsius_w580power_+_firmware< 1.38.01.38.0

Detection & IOCsextracted from sources · hover to see the quote

filenamelogofail.bmp
filenamelogofail_fake.bmp
filenamebootkit.efi
bytes
PixelHeight negative value: 0xfffffd00
  • Monitor the EFI System Partition (ESP) for unexpected or newly written BMP files, particularly those named 'logofail.bmp' or 'logofail_fake.bmp', which are used to embed shellcode for exploitation during UEFI boot.
  • Detect BMP logo files with a negative PixelHeight value (e.g., 0xfffffd00) on the ESP; this is the trigger for the out-of-bounds write in the vulnerable RLE8ToBlt function during DXE phase parsing.
  • Monitor the MokList UEFI variable for unauthorized modifications or replacement with a rogue certificate, which is the persistence mechanism used by Bootkitty to authorize a malicious bootloader.
  • Look for the presence of 'bootkit.efi' on the EFI System Partition as an indicator of a completed Bootkitty compromise.
  • After shellcode execution, Bootkitty restores overwritten memory in RLE8ToBlt to erase tampering evidence; forensic analysis should focus on UEFI memory integrity and MokList state rather than relying solely on runtime function hooks.
  • The exploit targets the DXE phase of UEFI execution via image parsing in BmpDecoderDxe; detection tooling should inspect UEFI DXE driver loading and BMP parsing activity during pre-OS boot.
  • ·The exploit is triggered specifically via RLE4/RLE8 compressed BMP files with an integer signedness error in PixelHeight/PixelWidth; only BMP files using these compression types on the ESP are relevant attack vectors.
  • ·Bootkitty's current shellcode is hardcoded for specific firmware modules found on Acer, HP, Fujitsu, and Lenovo devices; Lenovo devices based on Insyde firmware are considered most susceptible due to specific variable names and paths referenced.
  • ·Bootkitty currently only works on specific Ubuntu versions and is considered in-development malware rather than a widespread threat, but the underlying LogoFAIL vulnerability affects a broad range of unpatched devices.
  • ·The vulnerability is exploitable via malicious images or logos planted on the EFI System Partition (ESP), meaning physical or OS-level write access to the ESP is a prerequisite for exploitation.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.