The Shim maintainers at RedHat managed to fix a severe flaw. This flaw could have allowed a cyber attacker to achieve privileged access to a Linux system, even before the loading of the kernel. This could potentially result in the total hijacking of the system.
A shim, when functioning properly, acts as an early-stage bootloader mainly employed by Linux distributions to aid Secure Boot process compatibility. It possesses a signature from Microsoft’s Third-Party Certificate Authority, permitting the shim to participate validly in a Secure Boot as set up on most computers.
The grave flaw – CVE-2023-40547 – raised considerable alarm among security professionals due to its ability to potentially allow an attacker to gain pre-OS control of a system and sidestep the protections provided by Secure Boot. Via several different attack trajectories, an attacker might use this exploitation to disrupt or take over the entire boot process.
“In certain situations, a vulnerable shim version must be installed on a system, while in other instances, an attacker may install a vulnerable shim version to bypass Secure Boot and tamper with the kernel and OS, usually with the intention to deactivate security controls otherwise hard to disable post the full boot of the system,” elucidated Paul Asadoorian, the principal security evangelist for Eclypsium.
Bill Demirkapi, a member of the Microsoft Security Response Center (MSRC), was recognised for uncovering and reporting a bug, whose full details were shared in a blog published by Eclypsium on February 6.
The same Eclypsium blog highlighted that every Linux system operating Secure Boot, regardless of it being a server or end user system, is impacted by this bug. While many security experts might assume that the bug only pertains to RedHat systems, the researchers clarified that multiple other Linux distributions were integrating the patches, such as Debian, Ubunu, and SUSE. In addition to the major bug that was found, there were five other medium-risk flaws detected in shim.
“The necessity to patch this issue cannot be understated, given that Linux is extensively utilised for servers in businesses. This security flaw impacts every Linux bootloader signed over the past decade,” commented Ashwin Vamshi, leading security researcher at Menlo Security.
John Gallagher, Viakoo Labs’ vice president, made it clear that this constituted a significant threat due to the widespread exploitability of the vulnerability across numerous device and system types. Gallagher stated that cyber criminals target the weakest areas of a company’s defense mechanisms which take a considerable amount of time to correct, and the shim vulnerability typifies this situation.
This shim vulnerability is particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions,” explained Gallagher. “This stage of system initialization also provides root access to a variety of services, which makes the overall attack surface quite large.”
Linux is frequently used in many non-IT systems, such as IoT and OT, where it’s more challenging to find and remediate this vulnerability, unlike traditional IT systems where there are multiple layers of security that can alleviate the impact of the vulnerability. Gallagher posited that many IoT and OT systems using Linux that are affected by this shim vulnerability will persist infected and go undetected. Companies with substantial IoT/OT deployments should be on high alert, and must ensure application-based IoT discovery, as well as an automated remediation solution for firmware updates, as stated by Gallagher.
Adam Neel, threat detection engineer at Critical Start, highlighted that although the vulnerability has not been exploited in the wild as of yet, Linux administrators should give top priority to patching to the latest shim version promptly.
As expressed by Neel, “The potential for damage is significant. It enables attackers to sidestep endpoint protections and install a bootkit, granting malicious actors a serious advancement in privileges and potentially full control of a system. This exploit takes place at such a low level in the system and so early in the boot process that there is no way to detect that CVE-2023-40547 has been exploited via standard methods until it’s too late.”
LauraFrenchFebruary 7, 2024
Threat actors are increasingly using virtual cameras and emulators for digital injection attacks.
SCStaffFebruary 6, 2024
SiliconAngle reports that over 240,000 hosts are being identified by a Shodan search to be Confluence servers even though the total number of internet-exposed Confluence servers is only about 4,000.
SC StaffFebruary 6, 2024
Hewlett Packard Enterprise has launched a probe into a possible data breach after its credentials that were allegedly stolen in a cyberattack were posted by IntelBroker on hacking forums, reports BleepingComputer.
ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.