Critical Vulnerability in Linux Allows for Firmware-Level Malware Installation
A recent discovery by Linux developers has unveiled a high-severity vulnerability that poses a significant threat to the security of devices running on the Linux operating system. This vulnerability allows for the installation of malware at the firmware level, granting attackers access to the deepest parts of a device where they can operate undetected and are difficult to remove.
The vulnerability resides in a component called shim, which plays a crucial role in the secure boot process of Linux devices. Secure boot is a protection mechanism built into modern computing devices to ensure that every step of the boot process comes from a verified and trusted source. The shim, which is present in almost all Linux distributions, runs in the firmware early in the boot process before the operating system starts.
CVE-2023-40547, as the vulnerability is tracked, is a buffer overflow bug that allows attackers to execute code of their choice. It specifically affects the part of the shim that processes booting up from a central server on a network using HTTP. Attackers can exploit this vulnerability in various scenarios, most of which involve compromising either the targeted device or the server/network it boots from.
Matthew Garrett, a security developer and one of the original authors of shim, explained that an attacker would need to coerce a system into booting from HTTP and either run the HTTP server or perform a man-in-the-middle attack to intercept traffic. While these scenarios may seem challenging, they are not impossible, especially if servers communicate over unencrypted HTTP without authentication.
The ability to compromise a server or impersonate it to target devices configured to boot using HTTP can be useful for attackers who have gained some level of access inside a network and want to take control of connected end-user devices. However, these scenarios can be largely mitigated if servers use HTTPS, which requires server authentication.
Physical access to a device or gaining administrative control through exploiting another vulnerability are also possible avenues for attackers. However, these methods are difficult and often considered signs that a device is already compromised.
The significance of this vulnerability lies in the fact that it allows attackers to execute code during the boot process, before the main operating system starts. This grants them the ability to bypass many endpoint protection measures designed to detect compromises. It also enables the installation of a bootkit, a type of malware that runs prior to the operating system. Unlike typical bootkits, the one created by exploiting CVE-2023-40547 will not survive if the hard drive is wiped or reformatted.
Fixing the vulnerability requires more than just removing the buffer overflow from the shim code. It also involves updating the secure boot mechanism to revoke vulnerable bootloader versions. However, this process carries some level of risk, as users may encounter situations where a revocation list update renders their currently installed bootloader invalid. In such cases, Secure Boot would halt the boot process, requiring users to temporarily disable it to remedy the issue.
Another challenge in the patching process is the limited space available for storing revocations in a portion of the UEFI known as the DBX. With some lists containing over 200 entries and the space capped at 32 kilobits in many shims, there is a risk of running out of space.
Additionally, newly patched shims need to be signed using a Microsoft third-party certificate authority as part of the patch process.
The developers of Linux shims have released the patch to individual shim developers, who have incorporated it into their respective versions. These versions are now being made available to Linux distributors, who will then distribute them to end users.
While the risk of successful exploitation is mostly limited to extreme scenarios, it is crucial for users to install patches promptly once they become available. The severity rating of 9.8 out of 10 highlights the potential harm that can result from this vulnerability. By taking proactive measures and staying vigilant, users can protect their devices from potential attacks and ensure the security of their systems.
