A critical vulnerability affecting most Linux distributions allows boot combinations to exist

A critical vulnerability affecting most Linux distributions allows boot combinations to exist

A critical vulnerability affecting most Linux distributions allows boot combinations to exist

Linux developers are working to patch a high-risk vulnerability that, in some cases, allows the installation of malware that operates at the firmware level, allowing the infection to reach the deepest parts of the device where it is difficult to detect or remove.

The vulnerability lies in a shim, which in the Linux context is a small component that runs in the firmware early in the boot process before the operating system starts. More specifically, the chips that come with almost all Linux distributions play a crucial role in secure boot, a protection built into most modern computers to ensure that every link in the boot process comes from a trusted and reliable resource. Successful exploitation of the vulnerability allows attackers to circumvent this mechanism by executing malicious firmware in the early stages of the boot process before loading the Extensible Firmware Interface firmware and handing over control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is known as a buffer overflow, a programming bug that allows attackers to execute code of their choice. It’s in the part of the chips that handles booting from a central server on a network using the same HTTP that the Internet is based on. Attackers can exploit this code execution vulnerability in various scenarios, almost all of which follow some form of successful compromise of either the target device or the server or network from which the device is running.

“The attacker would need to be able to force the system to boot from HTTP if it isn’t already doing so, and either be in a position to boot the HTTP server in question or MITM traffic to it,” Matthew Garrett, a security developer and one of the chips’ original authors, wrote. In an online interview. “An attacker (who is physically present or has already compromised the root of the system) could use this to subvert a secure boot (adding a new boot entry to a server they control, compromising chips, or executing arbitrary code).”

In other words, these scenarios include:

  • Gaining the ability to compromise a server or be impersonated by an adversary in the middle to target a device already configured to boot using HTTP
  • You already have physical access to the device or gain administrative control by exploiting a separate vulnerability.

Although these hurdles are steep, they are by no means impossible, particularly the ability to hack or impersonate a server that connects to devices via HTTP, which is unencrypted and requires no authentication. These specific scenarios can be useful if an attacker has already gained some level of access within the network and is looking to take control of connected end-user devices. However, these scenarios are largely handled if the servers use HTTPS, a variant of HTTP that requires a server to authenticate itself. In this case, the attacker would first have to forge the digital certificate that the server uses to prove that it is authorized to provide firmware drivers for the devices.

Being able to physically access the device is also difficult and is widely considered a reason for it to be considered already vulnerable. Of course, actually gaining administrative control by exploiting a separate vulnerability in the operating system is difficult and allows attackers to achieve all kinds of malicious goals.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *