Esambulweni sakamuva, abathuthukisi be-shim, ingxenye ebalulekile esebenza njengesilayishi sokuqalisa sesigaba sokuqala ezinhlelweni ze-UEFI, badalule iphutha elibalulekile lezokuphepha enguqulweni yabo yakamuva, engu-15.8. Kulandelelwa njenge-CVE-2023-40547, lobu bungozi buphethe amaphuzu e-CVSS angu-9.8, okubeka usongo olukhulu ekuvikelekeni kokusatshalaliswa kweLinux okukhulu. Kutholwe futhi kwabikwa nguBill Demirkapi we-Microsoft Security Response Center (MSRC), iphutha lethula amandla okwenziwa kwekhodi yesilawuli kude kanye ne-Secure Boot bypass. Lokhu kuba sengozini, okukhona kuwo wonke ama-boot loader e-Linux asayinwe phakathi neshumi leminyaka edlule, kuphakamise ukukhathazeka ngomthelela wako osabalele.
Imininingwane ye-CVE-2023-40547
Ukuba sengozini okubalulekile kusekelwe ekusekelweni kwe-http ye-shim futhi kwavezwa u-Alan Coopersmith wase-Oracle. Leli phutha livula umnyango wokubhala kwakudala okulawulwayo ngaphandle kwemingcele lapho kucutshungulwa izimpendulo ze-HTTP. Empeleni, kungaholela ekudluleleni kwe-Secure Boot, okungase kuvumele izitha ukuthi zisebenzise ikhodi yesilawuli kude futhi zonakalise lonke uhlelo. I-Eclypsium, inkampani yezokuphepha ye-firmware, igqamise umsuka wokuba sengozini ekuphathweni kwephrothokholi ye-HTTP, okuholela ekubhaleni okungaphandle kwemingcele okungase kuphumele ekuhlelweni okuphelele kwesistimu.
Esimeni sokuxhaphaza esicatshangelwayo, abahlaseli bangasebenzisa leli phutha ukuze balayishe isilayishi se-shim boot esisengozini, senze ukuhlaselwa kwe-Man-in-the-Middle (MiTM) kunethiwekhi. Ubukhulu balokhu kuba sengcupheni bugcizelelwa iqiniso lokuthi budlulela kuyo yonke i-Linux bootloader esayinwe eshumini leminyaka eledlule, okubonisa umthelela omkhulu ongaba khona kunhlobonhlobo yamasistimu.
Ukulimala Kwe-Shim Okwengeziwe
Inguqulo ye-Shim engu-15.8 ayigcini nje ngokukhuluma nge-CVE-2023-40547 kodwa futhi ilungisa ubungozi obungeziwe obuhlanu, ngayinye inesethi yayo yemiphumela engaba khona. Lobu bungozi buhlanganisa ukufunda nokubhala okungaphandle kwemingcele, ukuchichima kwebhafa, nezindaba ezihlobene nokuphathwa kwekhodi yokuqinisekisa nolwazi lwe-Secure Boot Advanced Targeting (SBAT).
Izimpendulo Ezisheshayo ezivela Ekusatshalalisweni Okukhulu kwe-Linux
Ngokubona ubunzima besimo, ukusatshalaliswa kweLinux okukhulu okufana ne-Debian, Red Hat, SUSE, kanye no-Ubuntu kukhiphe izeluleko ngokushesha mayelana nala maphutha ezokuphepha. Abasebenzisi banxuswa kakhulu ukuthi babuyekeze amasistimu abo enguqulweni yakamuva ye-shim ukuze banciphise ubungozi obungaba khona obuhlobene nalobu bungozi.
Ukutholwa Nezinsongo Ezifanayo
Amagama okutholwa kohlelo olungayilungele ikhompuyutha asebenzisa lobu bungozi asazodalulwa kabanzi. Kodwa-ke, uma kubhekwa imvelo yokuba sengozini kwe-Shim RCE, ochwepheshe bezokuphepha batusa ukuthi kuqashwe ithrafikhi yenethiwekhi ngezicelo ze-HTTP ezisolisayo nokulayishwayo okukhokhelwayo. Izinsongo ezifanayo ezixhaphaza ubungozi be-bootloader zingabandakanya ukuhlaselwa kwe-firmware, i-UEFI, noma ezinye izingxenye ezibalulekile zenqubo yokuqalisa.
Umhlahlandlela Wokususa
Ngenxa yemvelo yobungozi okukhulunywe ngakho ku-shim version 15.8, umhlahlandlela ophelele wokususa ubalulekile. Landela lezi zinyathelo ukuze uqinisekise ukususwa okuphelele kwanoma yiziphi izinsongo ezingaba khona:
- Buyekeza u-Shim: Ngokushesha buyekeza ingxenye ye-shim ibe inguqulo engu-15.8 noma kamuva usebenzisa amakhosombe asemthethweni okusabalalisa kwakho kwe-Linux.
- Hlola Ubuqotho Besistimu: Qinisekisa ubuqotho bamafayela esistimu nezingxenye ze-bootloader usebenzisa amathuluzi anikezwe ukusatshalaliswa kwakho kwe-Linux.
- Ukuqapha Inethiwekhi: Gada ithrafikhi yenethiwekhi yanoma yiziphi izicelo ze-HTTP ezisolisayo noma ukulayishwa kweholo okungase kubonise ukuhlasela okuqhubekayo.
- Sebenzisa Iziqephu Zokuvikela: Hlola njalo futhi usebenzise iziqephu zokuphepha ezinikezwe ukusatshalaliswa kwe-Linux yakho ukuze uqinisekise ukuvikeleka okuqhubekayo.
Imikhuba Engcono Kakhulu Yokuvimbela
Ukuze uvimbele ukutheleleka okuzayo futhi uthuthukise ukuma okuphelele kwesistimu yakho, cabangela lezi zindlela ezihamba phambili ezilandelayo:
- Izibuyekezo Ezivamile: Gcina isistimu yakho yokusebenza, i-bootloader, nayo yonke isofthiwe efakiwe isesikhathini samanje ngeziqephu zokuphepha zakamuva.
- Isegimenti Yenethiwekhi: Sebenzisa ukuhlukaniswa kwenethiwekhi ukuze ukhawulele umthelela wokuhlasela okungenzeka futhi uvimbele ukunyakaza okuhlangene ngaphakathi kwenethiwekhi.
- Imfundo Yomsebenzisi: Fundisa abasebenzisi ngokubaluleka kokugwema izixhumanisi ezisolisayo, okunamathiselwe kwi-imeyili, namawebhusayithi ukunciphisa ingcuphe yokuba yisisulu sokuhlaselwa konjiniyela bezenhlalo.
- Ukuphepha kwe-Firmware: Hlala ubuyekeza futhi uvikele izingxenye ze-firmware ukuze ubhekane nobungozi obungaba khona ku-hardware engaphansi.
Isiphetho
Ukuba sengozini kwe-Shim RCE kubangela usongo olukhulu ekuvikelekeni kwezinhlelo ze-Linux, futhi umthelela wawo ongaba khona ezinhlobonhlobo zezinhlelo udinga isinyathelo esisheshayo. Ngokulandela umhlahlandlela onikeziwe wokususa nokusebenzisa izindlela ezingcono kakhulu zokuvimbela, abasebenzisi bangaqinisa amasistimu abo ngokumelene nalolu songo olubucayi lwe-inthanethi futhi bagcine ukuma okuqinile kokuvikela lapho bebhekene nezinselele zokuphepha eziguqukayo.