Mu vumbulutso laposachedwa, opanga shim, gawo lofunikira kwambiri lomwe limagwira ntchito ngati gawo loyamba la bootloader pamakina a UEFI, awulula cholakwika chachikulu chachitetezo mu mtundu wawo waposachedwa, 15.8. Kutsatiridwa ngati CVE-2023-40547, chiwopsezochi chimakhala ndi chiwopsezo cha CVSS cha 9.8, zomwe zikuwopseza chitetezo cha magawo akuluakulu a Linux. Zadziwika ndi malipoti a Bill Demirkapi wa Microsoft Security Response Center (MSRC), cholakwikacho chimawonetsa kuthekera kwa kupha ma code akutali ndi njira yodutsa Boot Yotetezedwa. Chiwopsezo ichi, chomwe chilipo pamtundu uliwonse wa bootloader wa Linux womwe wasainidwa zaka khumi zapitazi, wadzutsa nkhawa za kufalikira kwake.
Zambiri za CVE-2023-40547
Chiwopsezo chachikulu chimakhala mu chithandizo cha shim's http boot ndipo zidawululidwa ndi Alan Coopersmith waku Oracle. Cholakwika ichi chimatsegula chitseko cha zolemba zakale zoyendetsedwa ndi malire pokonza mayankho a HTTP. M'malo mwake, zitha kutsogola ku Safe Boot bypass, zomwe zitha kulola adani kuti apereke ma code akutali ndikusokoneza dongosolo lonse. Eclypsium, kampani yachitetezo cha firmware, idawunikira komwe kumayambitsa chiwopsezo pakuwongolera kwa protocol ya HTTP, zomwe zimapangitsa kuti pakhale kulembedwa kopanda malire komwe kungayambitse kusokoneza kwathunthu.
Muzochitika zongopeka, owukira atha kugwiritsa ntchito cholakwika ichi kuti akweze chotsitsa cha shim bootloader, ndikuwongolera kuwukira kwa Man-in-the-Middle (MiTM) pamaneti. Kuopsa kwa chiwopsezochi kumatsindikitsidwa ndi mfundo yakuti imadutsa pamtundu uliwonse wa bootloader wa Linux womwe udasainidwa m'zaka khumi zapitazi, kutanthauza kukhudzidwa kwakukulu kwa machitidwe osiyanasiyana.
Zowonjezera Zowopsa za Shim
Mtundu wa Shim 15.8 sikuti umangolankhula CVE-2023-40547 komanso umakonza zofooka zina zisanu, chilichonse chimakhala ndi zotsatira zake. Zowonongeka izi zimaphatikizapo kuwerenga ndi kulemba zakunja, kusefukira kwa buffer, ndi nkhani zokhudzana ndi kasamalidwe ka code yeniyeni ndi chidziwitso cha Safe Boot Advanced Targeting (SBAT).
Mayankho Ofulumira kuchokera ku Major Linux Distributions
Pozindikira kukula kwa zinthu, magawo akuluakulu a Linux monga Debian, Red Hat, SUSE, ndi Ubuntu atulutsa mwamsanga malangizo okhudza zolakwika zachitetezo izi. Ogwiritsa ntchito akulimbikitsidwa kwambiri kuti asinthe makina awo kukhala mtundu waposachedwa wa shim kuti achepetse zoopsa zomwe zingachitike chifukwa cha zovuta izi.
Kuzindikira ndi Zowopsa Zofanana
Mayina odziwika a pulogalamu yaumbanda yomwe ikugwiritsa ntchito zowopsa izi sanafotokozedwe mofala. Komabe, potengera momwe Shim RCE ali pachiwopsezo, akatswiri achitetezo amalimbikitsa kuyang'anira kuchuluka kwa maukonde pazofunsira zokayikitsa za HTTP ndi zolipira. Zowopsa zofananira zomwe zimagwiritsa ntchito kusatetezeka kwa bootloader zingaphatikizepo kuukira kwa firmware, UEFI, kapena zigawo zina zofunika kwambiri za bootloader.
Chitsogozo Chotsitsa
Chifukwa cha zovuta zomwe zafotokozedwa mu shim version 15.8, chiwongolero chokwanira chochotsa ndi chofunikira. Tsatirani izi kuti muwonetsetse kuti ziwopsezo zilizonse zomwe zingachitike zachotsedwa:
- Kusintha Shim: Nthawi yomweyo sinthani gawo la shim kuti lisinthe 15.8 kapena kenako pogwiritsa ntchito nkhokwe zovomerezeka pakugawa kwanu kwa Linux.
- Onani Kukhulupirika Kwadongosolo: Tsimikizirani kukhulupirika kwa mafayilo amachitidwe ndi zida za bootloader pogwiritsa ntchito zida zoperekedwa ndi Linux yanu.
- Network Monitoring: Yang'anirani kuchuluka kwa anthu pamanetiweki pazofunsira zilizonse zokayikitsa za HTTP kapena katundu yemwe angasonyeze kuwukira kosalekeza.
- Ikani Zigamba Zachitetezo: Yang'anani pafupipafupi ndikuyika zigamba zotetezedwa zomwe zimaperekedwa ndi kugawa kwanu kwa Linux kuti muwonetsetse chitetezo chopitilira.
Njira Zabwino Kwambiri Zopewera
Kuti mupewe matenda amtsogolo komanso kukulitsa chitetezo chokwanira pamakina anu, lingalirani njira zotsatirazi:
- Zosintha Nthawi Zonse: Sungani makina anu ogwiritsira ntchito, bootloader, ndi mapulogalamu onse omwe adayikidwa kuti apitirire ndi zigamba zaposachedwa zachitetezo.
- Gawo la Network: Khazikitsani magawo a netiweki kuti muchepetse zovuta zomwe zingachitike ndikuletsa kusuntha kwapakatikati pamaneti.
- Maphunziro Ogwiritsa Ntchito: Phunzitsani ogwiritsa ntchito za kufunikira kopewa maulalo okayikitsa, zolumikizira, ndi mawebusayiti kuti muchepetse chiopsezo chokhala m'mitima ya anthu.
- Firmware Security: Nthawi zonse sinthani ndikuteteza zida za firmware kuti zithetse zovuta zomwe zingachitike mu Hardware.
Kutsiliza
Chiwopsezo cha Shim RCE chikuwopseza chitetezo cha machitidwe a Linux, ndipo kukhudza kwake pamakina ambiri kumafunika kuchitapo kanthu mwachangu. Potsatira chiwongolero chochotsa chomwe chaperekedwa ndikugwiritsa ntchito njira zabwino zopewera, ogwiritsa ntchito amatha kulimbikitsa machitidwe awo polimbana ndi chiwopsezo chachikulu cha cyber ndikukhalabe ndichitetezo chokhazikika polimbana ndi zovuta zachitetezo.