High-Severitv Vulnerability Found in Linux Allows for Firmware-Level Malware Installation
Introduction
Linux, one of the most widely used operating systems, is in the process of patching a high-severity vulnerability. This vulnerability is capable of enabling the installation of malware at the firmware level, granting attackers deep access to a device where their activities become incredibly challenging to detect and remove.
The Vulnerable Component
The vulnerability in question resides in “shim,” a critical component that runs in the firmware during the early stages of the boot process before the operating system is fully operational. Shim plays an essential role in secure boot, a protection mechanism found in most modern computing devices to ensure the trustworthiness of every component involved in the boot process. However, the exploitation of this vulnerability allows attackers to execute malicious firmware at the earliest stages of the boot process, even before the Unified Extensible Firmware Interface (UEFI) firmware is loaded and control is handed over to the operating system.
The Code-Execution Vulnerability
The identified vulnerability, known as CVE-2023-40547, is a buffer overflow bug, providing attackers the ability to execute their desired code. This vulnerability stems from a specific part of the shim that deals with booting from a central server on a network via HTTP. Attackers can exploit this code-execution vulnerability in various scenarios, commonly after successfully compromising the targeted device, server, or network from which the device is booting.
“An attacker would need to be able to coerce a system into booting from HTTP if it’s not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” explains Matthew Garrett, a security developer and one of the original shim authors. “An attacker could use this to subvert secure boot, add a new boot entry to a server they control, compromise shim, and execute arbitrary code.”
In simpler terms, the scenarios in which the vulnerability could be exploited include:
- Acquiring the ability to compromise a server or perform a man-in-the-middle impersonation to target a device already configured to boot using HTTP.
- Gaining physical access to a device or exploiting a separate vulnerability to attain administrative control.
While these scenarios may appear challenging, they are not entirely impossible, particularly when it comes to compromising or impersonating an HTTP server. HTTP, being an unencrypted protocol without authentication, could be an attractive target for attackers who have already acquired some level of access within a network and are seeking control over connected end-user devices. Thankfully, these scenarios can be mitigated by using HTTPS instead, which requires server authentication. In this case, an attacker ought to forge the server’s digital certificate before being able to provide boot firmware to devices.
Although gaining physical access to a device is difficult and could be considered as an already compromised scenario, it is crucial to acknowledge the potential risks. Moreover, obtaining administrative control through exploiting a separate vulnerability in the operating system is a challenging task, providing attackers with various possibilities to execute malicious activities.
