Critical Flaw Found in Linux: Bootkits Lurk in the Motherboard (CVE-2023-40547)
Developers of Linux are actively engaged in rectifying a critical vulnerability, which under certain conditions allows malicious actors to install malware at the firmware level of the motherboard. Such infections, also known as “bootkits,” gain access to the deepest levels of the device, where they are challenging to detect or remove.
The flaw identified with the CVE identifier CVE-2023-40547 (CVSS rating of 9.8 out of 10) constitutes a buffer overflow vulnerability, enabling attackers to execute arbitrary code. It resides within a part of the Shim component responsible for loading from a central server via HTTP. This could be exploited in various scenarios, including compromising the device or server from which the loading occurs.
Shim itself is a small component, executed in the firmware of the device at the early stages of the boot process before the operating system starts. Shim accompanies virtually all Linux distributions and plays a pivotal role in Secure Boot—a protection embedded in most modern computing devices, ensuring that each link in the boot process comes from a verified, reliable source.
Successful exploitation of the CVE-2023-40547 vulnerability allows attackers to bypass this mechanism by running malicious firmware at the earliest stages of the boot process, before UEFI hands over control to the operating system.
Matthew Garrett, one of the authors of Shim, notes that for a successful attack, the hacker must force the system to boot via HTTP and control the corresponding server or intercept its traffic.
Although, at first glance, this may seem like a highly complex attack scenario, overcoming these barriers is not impossible, especially if the attacker already has network access and seeks to control user devices. Using HTTPS instead of HTTP can mitigate such attacks, as it requires server authentication.
Rectifying the vulnerability also entails some risks, as it requires more than simply eliminating buffer overflow from the Shim code. Vulnerable versions will need to be remotely revoked to prevent potential compromise; however, if this is done before Shim is updated, user devices may temporarily become inoperable.
Furthermore, limitations on the size of DBX to 32 kilobytes will likely prevent listing all revoked versions, sometimes including over 200 entries, meaning the vulnerability cannot be completely addressed.
Nevertheless, a patch has already been released and provided to Linux distributors, who are currently making the fixes available to end users.
As previously noted, the risk of successful exploitation is primarily confined to extreme scenarios. Nonetheless, the potential harm is significant, so users should install patches as soon as they become available.
