A critical vulnerability affecting most Linux distributions has been identified, allowing for the installation of malware that runs at the firmware level, making it difficult to detect or remove. The vulnerability resides in shim, a component that runs in the firmware early in the boot process before the operating system has started. Successful exploitation of the vulnerability allows attackers to execute malicious firmware at the earliest stages of the boot process. This has the potential to neutralize the secure boot mechanism, compromising the security of the device.
The vulnerability, known as CVE-2023-40547, is a buffer overflow bug that allows attackers to execute code of their choice. It can be exploited in various scenarios, following successful compromise of the targeted device or the server or network the device boots from. While these scenarios present steep challenges, they are not impossible, particularly the ability to compromise or impersonate a server that communicates with devices over unencrypted HTTP.
Moreover, if servers use HTTPS, which requires server authentication, the particular scenarios could prove useful if an attacker has already gained some level of access inside a network and is looking to take control of connected end-user devices. The ability to gain physical access to a device is also considered difficult, and obtaining administrative control through exploiting a separate vulnerability is hard, allowing attackers to achieve various malicious objectives. As Linux developers work on patching this high-severity vulnerability, it serves as a reminder of the importance of addressing security flaws to protect against potential threats.
