Linux devs racing to patch critical security flaw that could allow bootkit installation

These are the findings of security researcher Matthew Garrett, who is also one of the original shim authors, Ars Technica reports.

Patch waterfall

As per the research, shim is found in basically all Linux distros, and is a pivotal element of secure boot, a protection mechanism of most computers these days. It makes sure that every step of the booting process comes from a trusted supplier. By abusing the buffer overflow weakness, an attacker would be able to bypass this mechanism, and run malicious code before UEFI loads the operating system.

The silver lining here is that the threat actors would first need to obtain access to the target device in some other manner (via physical access, or other malware).

“An attacker would need to be able to coerce a system into booting from HTTP if it's not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” Garrett said. “An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).”

Another silver lining is that any bootkit malware abusing this flaw wouldn’t survive a full hard drive wipe.

Given the decentralized nature of Linux distributions, patching is not that simple. Right now, developers working on Linux shims released the patch to shim developers, who have now added into their respective versions. These have now made it to Linux distributors, who need to push them further, onto end users. 

More from TechRadar Pro

• Pretty much all Windows and Linux computers are vulnerable to this new cyberattack
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now