The maintainers of shim have launched model 15.8 to deal with six safety flaws, together with a vital bug that might pave the best way for distant code execution below particular circumstances.
Tracked as CVE-2023-40547 (CVSS rating: 9.8), the vulnerability may very well be exploited to realize a Safe Boot bypass. Invoice Demirkapi of the Microsoft Safety Response Middle (MSRC) has been credited with discovering and reporting the bug.
Main Linux distributions that use shim resembling Debian, Purple Hat, SUSE, and Ubuntu have all launched advisories for the safety flaw.
“The shim’s http boot help (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, resulting in a totally managed out-of-bounds write primitive,” Oracle’s Alan Coopersmith famous in a message shared on the Open Supply Safety mailing checklist oss-security.
Demirkapi, in a put up shared on X (previously Twitter) late final month, mentioned the vulnerability “exists in each Linux boot loader signed prior to now decade.”
shim refers to a “trivial” software program package deal that is designed to work as a first-stage boot loader on Unified Extensible Firmware Interface (UEFI) methods.
Firmware safety agency Eclypsium mentioned CVE-2023-40547 “stems from HTTP protocol dealing with, resulting in an out-of-bounds write that may result in full system compromise.”
In a hypothetical assault situation, a risk actor on the identical community might leverage the flaw to load a susceptible shim boot loader, or by a neighborhood adversary with satisfactory privileges to control information on the EFI partition.
“An attacker might carry out a MiTM (Man-in-the-Center) assault and intercept HTTP visitors between the sufferer and the HTTP server used to serve information to help HTTP boot,” the corporate added. “The attacker may very well be positioned on any community phase between the sufferer and the professional server.”
That mentioned, acquiring the flexibility to execute code throughout the boot course of – which happens earlier than the principle working system begins – grants the attacker carte blanche entry to deploy stealthy bootkits that may give near-total management over the compromised host.
The 5 different vulnerabilities mounted in shim model 15.8 are under –
- CVE-2023-40546 (CVSS rating: 5.3) – Out-of-bounds learn when printing error messages, leading to a denial-of-service (DoS) situation
- CVE-2023-40548 (CVSS rating: 7.4) – Buffer overflow in shim when compiled for 32-bit processors that may result in a crash or information integrity points throughout the boot section
- CVE-2023-40549 (CVSS rating: 5.5) – Out-of-bounds learn within the authenticode perform that might allow an attacker to set off a DoS by offering a malformed binary
- CVE-2023-40550 (CVSS rating: 5.5) – Out-of-bounds learn when validating Safe Boot Superior Focusing on (SBAT) info that might lead to info disclosure
- CVE-2023-40551 (CVSS rating: 7.1) – Out-of-bounds learn when parsing MZ binaries, resulting in a crash or potential publicity of delicate information
“An attacker exploiting this vulnerability positive aspects management of the system earlier than the kernel is loaded, which suggests they’ve privileged entry and the flexibility to bypass any controls applied by the kernel and working system,” Eclypsium famous.
