Typically Secure Boot prevents this UEFI prevents all subsequent files from running unless they’ve a digital signature confirming that these files are trusted by the device manufacturer. The exploit bypasses this protection by injecting shellcode hidden in a malicious bitmap image displayed by UEFI during the boot process. The injected code installs a cryptographic key that digitally signs the malware GRUB file together with a backdoor Linux kernel image that runs in the later stages of the boot process on Linux machines.
Silently installing this key causes UEFI to treat the malicious GRUB and kernel image as trusted components, thus bypassing Secure Boot protections. The final result is a backdoor slipped into the Linux kernel before some other security measures are loaded.
In a web-based interview, HD Moore, CTO and co-founder of runZero and an authority in firmware-based malware, explained the Binarly report:
The Binarly article indicates that somebody used the LogoFAIL bug to configure a UEFI payload that bypasses secure boot (firmware) by tricking the firmware into accepting a self-signed key (which is then stored in the firmware as a MOK variable). The bad code continues to be restricted to the UEFI user side, but the LogoFAIL exploit allows them to add their very own signing key to the firmware allow list (but doesn’t otherwise infect the firmware).
It is definitely a GRUB-based kernel backdoor versus a firmware backdoor, however it exploits a firmware bug (LogoFAIL) to allow installation without user interaction (registration, reboot, after which accepting the latest MOK signing key).
In a traditional secure boot setup, the administrator generates a neighborhood key, uses it to sign updated kernel/GRUB packages, instructs the firmware to register the key it has created, after which after a reboot, the administrator must accept this latest key via the console (or remotely via the bmc/ipmi bios console /ilo/drac/etc).
In this setup, an attacker can replace the known good GRUB+ kernel with a backdoor version by registering their very own signing key without user interaction via the LogoFAIL exploit, however it is definitely a GRUB-based bootkit and never hard-coded into the BIOS firmware or anything one other.
Machines vulnerable to the exploit include certain models sold by Acer, HP, Fujitsu, and Lenovo when shipped with Insyde’s UEFI and Linux. Evidence found in the exploit code indicates that the exploit could also be tailored to specific hardware configurations of such machines. Earlier this yr, Insyde released a patch to prevent the exploit from working. Unpatched devices remain vulnerable to attacks. Devices from these manufacturers using non-Insyde UEFI usually are not affected.