The developers behind shim, the essential software component utilized as a first-stage boot loader on UEFI systems, have recently unveiled version 15.8, aiming to rectify six security vulnerabilities. Among them, a critical bug poses a severe threat, potentially enabling remote code execution in certain conditions.
A Look into CVE-2023-40547
Tracked as CVE-2023-40547 with a CVSS score of 9.8, this critical vulnerability, discovered and reported by Bill Demirkapi of the Microsoft Security Response Center (MSRC), introduces the possibility of a Secure Boot bypass. Alan Coopersmith of Oracle highlighted that the flaw resides in shim’s http boot support, paving the way for a controlled out-of-bounds write primitive when processing HTTP responses.
According to Demirkapi, this vulnerability spans across every Linux boot loader signed within the past decade, raising concerns over the widespread impact it may pose.
Eclypsium, a firmware security firm, further elaborated that the vulnerability originates from HTTP protocol handling, leading to an out-of-bounds write that could culminate in complete system compromise. In a hypothetical exploit scenario, adversaries could leverage this flaw to load a compromised shim boot loader, potentially enabling Man-in-the-Middle (MiTM) attacks on the network.
Additional Shim Vulnerabilities Also Fixed
Apart from this critical bug, shim version 15.8 addresses five additional vulnerabilities:
- CVE-2023-40546 (CVSS score: 5.3): Out-of-bounds read causing denial-of-service (DoS) through error message printing.
- CVE-2023-40548 (CVSS score: 7.4): Buffer overflow in shim for 32-bit processors, leading to crashes or data integrity issues during boot.
- CVE-2023-40549 (CVSS score: 5.5): Out-of-bounds read in the authenticode function, potentially triggering DoS via malformed binaries.
- CVE-2023-40550 (CVSS score: 5.5): Out-of-bounds read when validating Secure Boot Advanced Targeting (SBAT) information, risking information disclosure.
- CVE-2023-40551 (CVSS score: 7.1): Out-of-bounds read when parsing MZ binaries, leading to crashes or sensitive data exposure.
Eclypsium emphasized that exploiting these vulnerabilities grants attackers privileged access before the kernel loads, allowing them to bypass kernel and operating system controls effectively.
Major Linux distributions like Debian, Red Hat, SUSE, and Ubuntu have promptly released advisories regarding these security flaws, urging users to update their systems to the latest shim version to mitigate potential risks.