Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
Millions of devices are vulnerable, but there is still no working fix.
Linux developers are actively working to fix a critical vulnerability that, under certain conditions, allows attackers to install malware at the motherboard firmware level. Such infections, also known as "bootkits", gain access to the deepest levels of the device, where they are difficult to detect or remove.
The flaw identified as CVE-2023-40547 (CVSS score 9.8 out of 10) is a buffer overflow vulnerability that allows attackers to execute arbitrary code. It is located in the part of the Shim component that processes downloads from the central server via HTTP. This can be used in a variety of scenarios, including compromising the device or server from which the download is being made.
Shim itself is a small component that runs in the device's firmware in the early stages of the boot process before the operating system starts up directly. Shim accompanies almost all Linux distributions and plays a crucial role in the Secure Boot protection built into most modern computing devices, ensuring that every link in the boot process comes from a trusted, reliable supplier.
Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by launching malicious firmware at the earliest stages of the boot process, before UEFI transfers control to the operating system.
Matthew Garrett, one of the authors of Shim, notes that for a successful attack, a hacker must force the system to load via HTTP and control the corresponding server or intercept its traffic.
While this may seem like a very difficult attack scenario to implement at first glance, overcoming these barriers is not impossible, especially if the attacker already has network access and seeks to control users ' devices. Using HTTPS instead of HTTP can prevent such attacks, as it requires authentication from the server.
Patching the vulnerability also carries some risks, as it requires something more than just eliminating buffer overflows from the Shim code. Vulnerable versions will need to be revoked remotely to prevent possible compromise, but if this is done before the Shim update, users devices may be temporarily disabled.
In addition, the DBX size limit of 32 kilobits will most likely not allow you to list all the recalled versions, sometimes including more than 200 entries, which means that you will still not be able to completely eliminate the vulnerability.
Anyway, the patch has already been released and made available to Linux distributors, who are currently making patches available to end users.
As noted earlier, the risk of successful exploitation is mostly limited to extreme scenarios. However, the potential harm is very serious, so users should install patches as soon as they become available.
Linux developers are actively working to fix a critical vulnerability that, under certain conditions, allows attackers to install malware at the motherboard firmware level. Such infections, also known as "bootkits", gain access to the deepest levels of the device, where they are difficult to detect or remove.
The flaw identified as CVE-2023-40547 (CVSS score 9.8 out of 10) is a buffer overflow vulnerability that allows attackers to execute arbitrary code. It is located in the part of the Shim component that processes downloads from the central server via HTTP. This can be used in a variety of scenarios, including compromising the device or server from which the download is being made.
Shim itself is a small component that runs in the device's firmware in the early stages of the boot process before the operating system starts up directly. Shim accompanies almost all Linux distributions and plays a crucial role in the Secure Boot protection built into most modern computing devices, ensuring that every link in the boot process comes from a trusted, reliable supplier.
Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by launching malicious firmware at the earliest stages of the boot process, before UEFI transfers control to the operating system.
Matthew Garrett, one of the authors of Shim, notes that for a successful attack, a hacker must force the system to load via HTTP and control the corresponding server or intercept its traffic.
While this may seem like a very difficult attack scenario to implement at first glance, overcoming these barriers is not impossible, especially if the attacker already has network access and seeks to control users ' devices. Using HTTPS instead of HTTP can prevent such attacks, as it requires authentication from the server.
Patching the vulnerability also carries some risks, as it requires something more than just eliminating buffer overflows from the Shim code. Vulnerable versions will need to be revoked remotely to prevent possible compromise, but if this is done before the Shim update, users devices may be temporarily disabled.
In addition, the DBX size limit of 32 kilobits will most likely not allow you to list all the recalled versions, sometimes including more than 200 entries, which means that you will still not be able to completely eliminate the vulnerability.
Anyway, the patch has already been released and made available to Linux distributors, who are currently making patches available to end users.
As noted earlier, the risk of successful exploitation is mostly limited to extreme scenarios. However, the potential harm is very serious, so users should install patches as soon as they become available.
