Bootkits can be used to exploit a critical vulnerability that affects most Linux distributions


Advertisement: Click here to learn how to Generate Art From Text

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they’re hard to detect or remove.

The vulnerability lies in shim. This is a component in Linux that runs early in the booting process, before the OS has been started. The shim, which is included with almost all Linux distributions, plays a key role in secure boot. This protection ensures that every link in the booting process comes only from trusted suppliers. The vulnerability allows attackers the ability to neutralize the mechanism by executing malicious software at the very beginning of the boot process. Unified Extensible Firmware InterfaceThe firmware has been loaded and the operating system is now in control.

The vulnerability, tracked as CVE-2023-40547, is what’s known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It’s located in the part of the shim which handles booting up on a network based on HTTP. Attackers are able to exploit the code execution vulnerability in different scenarios. Virtually all occur after a successful compromise of the targeted device, the server, or network from which the device boots.

“An attacker would need to be able to coerce a system into booting from HTTP if it’s not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. “An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).”

These scenarios include

  • Acquiring the ability to compromise a server or perform an adversary-in-the-middle impersonation of it to target a device that’s already configured to boot using HTTP
  • Already having physical access or gaining administrative controls by exploiting another vulnerability.

While these hurdles are steep, they’re by no means impossible, particularly the ability to compromise or impersonate a server that communicates with devices over HTTP, which is unencrypted and requires no authentication. These scenarios can be useful for an attacker who has already gained access into a network to take over connected devices. These scenarios are, however, largely resolved if servers use HTTPS – the variant of HTTP which requires a server’s authentication. In that case, the attacker would first have to forge the digital certificate the server uses to prove it’s authorized to provide boot firmware to devices.

Physical access to a computer is also difficult, and is widely considered to be a sign that it is already compromised. It is difficult to gain administrative control of a device by exploiting a separate vulnerability within the operating system. This allows attackers achieve a wide range of malicious goals.

Leave a Reply

Your email address will not be published. Required fields are marked *