A major vulnerability has been discovered operating across in almost all Linux variants that could allow threat actors to run malware at the firmware level.
The vulnerability is tracked as CVE-2023-40547, and is described as a buffer overflow weakness. It resides in shim, a component that runs in the firmware, before the booting of the operating system.
These are the findings of security researcher Matthew Garrett, who is also one of the original shim authors, Ars Technica reports.
Patch waterfall
As per the research, shim is found in basically all Linux distros, and is a pivotal element of secure boot, a protection mechanism of most computers these days. It makes sure that every step of the booting process comes from a trusted supplier. By abusing the buffer overflow weakness, an attacker would be able to bypass this mechanism, and run malicious code before UEFI loads the operating system.
The silver lining here is that the threat actors would first need to obtain access to the target device in some other manner (via physical access, or other malware).
“An attacker would need to be able to coerce a system into booting from HTTP if it’s not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” Garrett said. “An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).”
Another silver lining is that any bootkit malware abusing this flaw wouldn’t survive a full hard drive wipe.
Given the decentralized nature of Linux distributions, patching is not that simple. Right now, developers working on Linux shims released the patch to shim developers, who have now added into their respective versions. These have now made it to Linux distributors, who need to push them further, onto end users.