A major vulnerability has been discovered that operates in almost all Linux variants and could allow threat actors to execute malware at the firmware level.
The vulnerability is tracked as CVE-2023-40547 and is described as a buffer overflow weakness. It resides in shim, a component that runs in the firmware, before the startup of the operating system.
These are the findings of security researcher Matthew Garrett, who is also one of the original authors of the shim. Ars Technique reports.
patch waterfall
According to research, shim is found in basically all Linux distributions and is a fundamental element of secure boot, a protection mechanism of most computers these days. Ensures that every step of the boot process comes from a trusted supplier. By abusing the buffer overflow weakness, an attacker could bypass this mechanism and execute malicious code before UEFI loads the operating system.
The silver lining here is that the threat actors would first need to gain access to the target device some other way (via physical access or other malware).
“An attacker would have to be able to force a system to boot from HTTP if it is not already doing so, and be able to execute the HTTP server in question or MITM traffic to it,” Garrett said. “An attacker (physically present or who has already compromised the system root) could use this to subvert secure boot (adding a new boot entry to a server they control, compromising the shim, executing arbitrary code).”
Another positive side is that any bootkit malware that abuses this flaw would not survive a complete hard drive wipe.
Given the decentralized nature of Linux distributions, patching is not so simple. At this time, developers working on Linux updates released the patch to update developers, who have now added it to their respective versions. These have now reached Linux distributors, who need to take them even further and reach end users.