A critical vulnerability has been found in shim, a component that runs in the firmware early in the boot process before the operating system has started in most Linux distributions. The vulnerability allows attackers to install malware at the firmware level, giving them access to the deepest parts of a device where they’re hard to detect or remove. This poses a serious security risk as it could lead to the circumvention of the secure boot protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier.
The vulnerability, known as CVE-2023-40547, is a buffer overflow coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the Internet is based on. While the specific scenarios for exploiting the vulnerability present steep hurdles, they are by no means impossible to overcome. This includes acquiring the ability to compromise a server or perform an adversary-in-the-middle impersonation of it to target a device that’s already configured to boot using HTTP, as well as gaining physical access to a device or gaining administrative control by exploiting a separate vulnerability.
While these scenarios pose significant challenges for attackers, the possibility of compromising or impersonating a server that communicates with devices over HTTP is a cause for concern, especially if the server does not use HTTPS and therefore does not require authentication. These scenarios highlight the need for robust security measures and encrypted communication protocols to mitigate the risk posed by this critical vulnerability.