Developers of Linux are currently dealing with a significant vulnerability that, in certain instances, enables the installation of malware at the firmware level, making it difficult to detect or remove infections that enter the deepest parts of the device. The vulnerability is found in a shim, a small part in Linux that operates in the firmware before the system boots. This shim, which is part of all Linux distributions, plays a crucial role in secure boot – the security built into modern hardware to ensure that each boot link comes from a trustworthy source. Exploiting this vulnerability allows attackers to compromise the system by running malicious firmware just after booting the Unified Extensible Firmware Interface software before the firmware loads and powers up the operating system. This vulnerability, known as CVE-2023-40547, is a buffer overflow, a scripting flaw that gives attackers considerable control. It is located in the shim section that starts from the server in the middle of the network using the same HTTP as the Internet. Criminals can exploit the code execution flaw in various scenarios, most of which involve successful communication with the target device, server, or network. “An attacker may need to force a machine to start moving away from HTTP if it is not already doing so, as well as have access to the requested HTTP server or MITM traffic,” explained security developer Matthew Garrett. “An attacker (existing or already rooted on the computer) can use this to tamper with secure boot (add a new entry on the server they control, tamper with the shim, install illegal code).” In simpler terms, these activities include gaining the ability to compromise a server or impersonate a middle-of-the-road adversary to connect to a device that has been configured to start using HTTP, and having access to the device or controlling the use of a different vulnerability. Though these hurdles are significant, they are not insurmountable, especially the possibility of tampering or impersonating a server that communicates with devices over unregistered and unauthenticated HTTP, particularly if the attacker already has access to the network and wants to monitor connected devices. However, this scenario is specifically configured if the server is using HTTPS, a version of HTTP that requires the server to authenticate itself. In this case, the attacker would need to create a digital certificate that the server uses to verify its authorization to provide firmware to the devices. Accessing the device is also challenging and indicates concern that it may have already been compromised. Additionally, gaining control using a different vulnerability in the operating system allows attackers to achieve various malicious objectives.