Buffer overflow in bootloader shim allows attackers to run code each time devices boot up.
Take note of the quote in the article...
---
OP/bug finder here with some clarifying information. It's a common misconception that this issue can only be abused if you use HTTP boot. That is not the case at all, otherwise it wouldn't be Critical. This bug can be abused locally (privileged malware can overwrite the EFI partition), from an adjacent network if PXE boot is enabled (w/ MiTM), or remotely if HTTP boot is used (w/ MiTM).
More details on these scenarios:
-
A remote attacker with no privileges in a man-in-the-middle (MitM) position could leverage the issue against a victim machine that uses HTTP boot. No direct access to the victim machine is required.
-
A remote attacker with privileges and code execution on the victim machine could leverage the issue to bypass Secure Boot, even if the victim does not already use HTTP boot (as long as firmware has HTTP support). How? Several ways:
-
An attacker can edit the boot order variable to specify a controlled attacker server.
-
An attacker can chain shim->GRUB2->shim (via HTTP). For this technique, an attacker would overwrite the boot loader in the EFI partition to a legitimate shim and GRUB2 image. The attacker would create a grub.cfg that chainloads a new shim via HTTP. This is possible because GRUB2's device syntax allows you to specify any supported device, including HTTP (if available).
- An adjacent attacker with no privileges in a man-in-the-middle (MitM) position could leverage the issue against a victim machine that uses PXE boot. PXE is separate from HTTP boot, but similar to the local vector, an attacker can chain together shim (via PXE)->GRUB2 (via PXE)->shim (via HTTP).
cross-posted from: https://floss.social/users/kde/statuses/111732458987994100
> Plasma 6 Release Candidate 1 has landed. > > We are less than 50 days away from the final version of #Plasma6. > > Along with Frameworks 6 and KDE Gear 24.02, the Megarelaease on the 28th of February will be one of the biggest and more complex upgrades in KDE's history. > > One more RC will be released on the 31st of January and then it will be (hopefully) clear sailing until the final release. > > https://kde.org/announcements/megarelease/6/rc1/ > > @kde@lemmy.kde.social
Thanks for the reminder, somehow I missed adding the point to my todo list :/
Welcome @Agent_Engelbert@linux.community !
It’s bad, folks. Pair of CVEs incoming on October 11
"Curl 8.4.0 will hit at around 0600 UTC (0800 CEST, 0700 BST, 0200 EST, 2300 PDT) on October 11 and deal with CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl...."
The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.
Remote code execution requiring no authentication fixed. 2 other RCEs remain unpatched.
"Remote code execution requiring no authentication fixed. 2 other RCEs remain unpatched...."
On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer...
"On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps...."