Critical Shim Bootloader Vulnerability Affects Virtually All Linux Distributions

The maintainers of shim have released version 15.8 to address six security vulnerabilities, one of which is a critical bug (CVE-2023-40547 with a CVSS score of 9.8). This flaw, discovered and reported by Bill Demirkapi of the Microsoft Security Response Center, could potentially lead to remote code execution under specific conditions, posing a threat to Secure Boot.

The vulnerability arises from the shim's http boot support (httpboot.c), where it trusts attacker-controlled values during HTTP response parsing, resulting in a fully controlled out-of-bounds write primitive. According to Demirkapi, this vulnerability has persisted in every Linux boot loader signed over the past decade.

Shim is a "trivial" software package designed as a first-stage boot loader for Unified Extensible Firmware Interface (UEFI) systems. Firmware security firm Eclypsium attributes CVE-2023-40547 to issues in HTTP protocol handling, causing an out-of-bounds write that could lead to a complete system compromise.

In a hypothetical attack scenario, a threat actor on the same network could exploit the vulnerability to load a compromised shim boot loader. Alternatively, a local adversary with sufficient privileges to manipulate data on the EFI partition could also leverage the flaw. Eclypsium suggests that an attacker could execute a Man-in-the-Middle (MiTM) attack, intercepting HTTP traffic between the victim and the server, potentially compromising the system.

The five other vulnerabilities fixed in shim version 15.8 are below:

• CVE-2023-40546 (CVSS score: 5.3) - Out-of-bounds read when printing error messages, resulting in a denial-of-service (DoS) condition
• CVE-2023-40548 (CVSS score: 7.4) - Buffer overflow in shim when compiled for 32-bit processors that can lead to a crash or data integrity issues during the boot phase
• CVE-2023-40549 (CVSS score: 5.5) - Out-of-bounds read in the authenticode function that could permit an attacker to trigger a DoS by providing a malformed binary
• CVE-2023-40550 (CVSS score: 5.5) - Out-of-bounds read when validating Secure Boot Advanced Targeting (SBAT) information that could result in information disclosure
• CVE-2023-40551 (CVSS score: 7.1) - Out-of-bounds read when parsing MZ binaries, leading to a crash or possible exposure of sensitive data

For Further Reference

https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html