Critical Bootloader Vulnerability in Shim Affects Almost All Linux Distros

February 07, 2024NewsroomDevice Security / Vulnerabilities

Linux Bootloader Vulnerability

Shim maintainers have been released version 15.8 to address six security flaws, including a critical bug that could pave the way for remote code execution under certain circumstances.

Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability can be exploited to achieve Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) already credited along with bug discovery and reporting.

“The http boot support in the shim (httpboot.c) relies on attacker-controlled values ​​when parsing an HTTP response, leading to a fully controlled out-of-bounds write primitive,” Alan Coopersmith of Oracle. THE audience in a message shared on the Open Source Security mailing list oss-security.

Cybersecurity

Demirkapi, in a post shared on X (formerly Twitter) late last month, said the vulnerability “exists in every Linux boot loader signed in the last decade.”

shim refers to a “no reason” software packages that’s it WAS to work as a first-stage boot loader in the Unified Extensible Firmware Interface (UEFI) systems.

Firmware security firm Eclypsium SAYS CVE-2023-40547 “stems from HTTP protocol handling, which leads to out-of-bounds writes that can lead to complete system compromise.”

In a hypothetical attack scenario, a threat actor on the same network could use the flaw to load a vulnerable shim boot loader, or a local adversary with sufficient manipulation privileges in the EFI partition data.

“An attacker can perform a MiTM (Man-in-the-Middle) attack and intercept HTTP traffic between the victim and the HTTP server used to serve files to support the HTTP boot,” the company added. “The attacker can be found on any part of the network between the victim and the legitimate server.”

As such, gaining the ability to execute code during the boot process – which occurs before the main operating system starts – gives the attacker carte blanche access to deploy stealthy bootkits that provide almost total control over the compromised host.

Cybersecurity

Five other vulnerabilities fixed in shim version 15.8 are below –

  • CVE-2023-40546 (CVSS score: 5.3) – Reads out-of-bounds when printing error messages, resulting in a denial-of-service (DoS) condition
  • CVE-2023-40548 (CVSS score: 7.4) – Buffer overflow in the shim when compiled for 32-bit processors that can lead to crashes or data integrity issues during the boot phase
  • CVE-2023-40549 (CVSS score: 5.5) – Out-of-bounds read in the authenticode function that could allow an attacker to trigger a DoS by providing a malformed binary
  • CVE-2023-40550 (CVSS score: 5.5) – Out-of-bounds read when validating Secure Boot Advanced Targeting (SBAT) information that may result in the disclosure of information
  • CVE-2023-40551 (CVSS score: 7.1) – Out-of-bounds read when parsing MZ binaries, leading to a crash or possible exposure of sensitive data

“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to bypass any controls implemented by the kernel and operating system,” said Eclypsium.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment