Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.
Munguva pfupi yapfuura nhau dzakabvarura izvo Kuremerwa kwekuurayiwa kwakawanikwa mukati the layer shim, iyo inoshandiswa zvakanyanya muhuwandu hweLinux kugoverwa kune yakasimbiswa bhutsu muUEFI yakachengeteka boot mode.
Kusagadzikana, kwakatonyorwa pasi pe "CVE-2023-40547" uye yakaongororwa iine zvibodzwa zve8.3 pachiyero cheCVSS, inoisa njodzi dzakakura, kusanganisira mukana wekuita kure kure kodhi uye kusiiwa kweLinux yakachengeteka bhutsu mashini.
Kusagadzikana kuri mukukanganisa kodhi yekurodha mafaera pamusoro peHTTP, kubvumira mhinduro dzisiridzo dzakagadzirwa neHTTP server inowanikwa naShim kuti igadziriswe. Iyi bug inogona kushandiswa neanorwisa anodzora sevha yeHTTP kuti adzose mhinduro yakagadzirwa, izvo zvinozoguma nekunyora kunodzorwa kune kunze-kwe-mabheji buffer uye kubvumidza kuuraya kodhi panguva yekutanga maitiro ekurodha.
Izvo zvakakosha zvekusagadzikana kuri muHTTPBoot modhi muShim inobvumira kurodha mafaira pamusoro peHTTP, iyo yekudzorera faira ine loader iyo inodanwa mune inotevera nhanho yebhoti process.
Pakurodha mafaira pamusoro peHTTP, Shim anogovera buffer kune yakagamuchirwa data, zvichienderana nehukuru hwakatsanangurwa mumusoro we "Content-Length" HTTP. Zvisinei, Dambudziko rinomuka kana kukosha kudiki kwagamuchirwa mune Yemukati-Kureba musoro, izvo zvinotungamira kumagumo ekukumbira kunyorerwa kundangariro kunze kwemuganhu wakagoverwa webuffer, zvichikonzera kusagadzikana.
Kudzikisira kusazvibata pasina kushandisa kudzoreredza siginecha yedhijitari, zvinotaurwa kuti nzira yeSBAT inogona kushandiswa, iyo inoenderana neGRUB2, shim uye fwupd mune inonyanya kushandiswa Linux kugovera.
Yakagadziridzwa mukubatana neMicrosoft, SBAT inosanganisira kuwedzera imwe metadata kuUEFI chikamu chinoteeka mafaera, akadai semugadziri, chigadzirwa, chikamu, uye vhezheni ruzivo. Iyi metadata yakatsanangurwa inosimbiswa nedhijitari siginicha uye inogona kuverengerwa yakazvimiririra mune zvinyorwa zvinotenderwa kana zvinorambidzwa zvikamu zveUEFI Secure Boot.
Zvinofanira kutaurwa kuti iyeKusagadzikana kwakange kwatogadziriswa mukuburitswa kweShim 15.8Nekudaro, kuve nechokwadi chekuchengetedzwa kwakazara kubva pakurwiswa kuburikidza neShim, Izvo zvinodikanwa kuti iyo vhezheni itsva isimbiswe neMicrosoft uye inoshandiswa mukugoverwa kweLinux.
Kunyangwe dambudziko nderekuti pasina kudzoreredza siginecha yeshanduro yapfuura, mhinduro haina musoro, sezvo munhu anorwisa anogona kushandisa bhutsu ine vhezheni isina njodzi yeShim kukanganisa UEFI yakachengeteka boot. Asi kudzoreredza siginicha kuchaita kuti zvisaite kuonesa bhutsu yekugovera iyo inoramba ichishandisa iyo yapfuura vhezheni yeShim.
Chekupedzisira, zvakakodzera kutaura kuti, pamusoro pekugadzirisa kusagadzikana kukuru kwataurwa pamusoro, Shim 15.8 inogadzirisawo nyaya dzinoverengeka dzekuchengetedza zvishoma zvakakosha zvinogona kushandiswa munharaunda. Idzi nyaya dzekuchengetedza dzakaonekwa neinotevera CVE identifiers:
- CVE-2023-40548: Nyaya iyi inosanganisira kuwanda kwehuwandu mu verify_sbat_section function, izvo zvinogona kukonzera buffer kufashukira pa 32-bit masisitimu.
- CVE-2023-40546: Iyo yekubuda-ye-yekumisikidzwa ndangariro inoverengwa inoitika kana ichitaura kukanganisa mameseji kuburikidza neiyo LogError () basa.
- CVE-2023-40549: Imwe yekunze-ye-yekumisikidzwa ndangariro inoverengwa inoitika kana uchigadzira yakanyatsogadzirwa PE faira mune verify_buffer_authenticode() basa.
- CVE-2023-40550: Inosanganisira ndangariro inoverengwa kubva mubhafa mune verify_buffer_sbat() basa.
- CVE-2023-40551: Yekunze-ye-yekumisikidzwa ndangariro kuverenga kunoitika kana uchidhirowa mafaera eMZ.
Kusagadzikana uku kunoratidza kukosha kwekugadzirisa kushaya simba mukuitwa kwemitemo yekuchengetedza, kunyanya mumasisitimu akakosha akadai seyakachengeteka bhutsu maitiro mukugoverwa kweLinux.
Chekupedzisira asi chisiri chidiki, sezvatinogara tichiita, tinokurudzira kuti vashandisi vashandise zvigamba zvakakodzera uye zvigadziriso kudzikamisa njodzi dzine chekuita nekusagadzikana uku uye kudzivirira masisitimu avo kubva pakurwiswa kungangoitika.
Kana uri kuda kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.