THE Shim maintainers they released the version 15.8 to solve six security problems, and among them it results a critical bug that could pave the way for remote code execution under circumstances specifications.
With the term “Shim” refers to a software package designed to function as a first-stage bootloader on Unified Extensible Firmware Interface (UEFI) systems, basically what allows installation on desktop systems.
What does this vulnerability mean for Shim
Identified as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to bypass Secure Boot; Bill Demirkapi of the Microsoft Security Response Center (MSRC) was accredited for discovering and reporting the bug (yes, you read that right, nowadays Microsoft staff also help develop Linux).
“Shim's http boot support (httpboot.c) relies on attacker-controlled values when parsing an HTTP response, leading to a fully controlled out-of-bounds write primitive” has made known Oracle's Alan Coopersmith in a message shared on the open source security mailing list oss-security.
Demirkapi, in a post shared on social media X (formerly known as Twitter) late last month, said the vulnerability “exists in every Linux bootloader signed in the last decade.”
Shim refers, as mentioned at the beginning of the article, to a software package “trivial” designed to function as a first-stage bootloader on Unified Extensible Firmware Interface (UEFI) systems.
Firmware security company Eclypsium has declared that CVE-2023-40547 “arises from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.”
In a hypothetical attack scenario, a cybercriminal in the same network could exploit the flaw to load a vulnerable shim bootloader, or by a local adversary with sufficient privileges to manipulate data on the EFI partition.
“An attacker could perform a Man-in-the-Middle (MiTM) attack and intercept HTTP traffic between the victim and the HTTP server used to serve files to support HTTP boot” added the company. “The attacker could be on any network segment between the victim and the legitimate server.”
That said, getting the ability to run code during the boot process, which occurs before the main operating system starts which gives the attacker unrestricted accessto implement stealthy bootkits that can give near-total control over the compromised host.
The other five vulnerabilities fixed in shim version 15.8 are as follows:
- CVE-2023-40546 (CVSS score: 5.3) – Reading out of bounds when printing error messages, resulting in a denial-of-service (DoS) condition;
- CVE-2023-40548 (CVSS score: 7.4) – Buffer overflow in shim when compiled for 32-bit processors which can lead to a crash or data integrity issues during the boot phase;
- CVE-2023-40549 (CVSS score: 5.5) – Read out of bounds in the authenticode function could allow an attacker to trigger a DoS by providing a malformed binary;
- CVE-2023-40550
(CVSS score: 5.5) – Read out of bounds when validating Secure Boot Advanced Targeting information (SBAT) which may result in disclosure of information; - CVE-2023-40551 (CVSS score: 7.1) – Reading out of bounds when analyzing MZ binaries, leading to a crash or possible exposure of sensitive data.
“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means it has privileged access and the ability to bypass any controls implemented by the kernel and operating system” Eclypsium said.
#Shim #Vulnerability #UEFI #bootloader #Linux
