A critical vulnerability in Shim poses a threat to Linux distributions

A serious vulnerability has been discovered in the Shim bootloader that allows attackers to execute code and take control of the target system before the kernel is loaded while bypassing existing security mechanisms.

Shim is an open boot loader supported by Red Hat designed to provide Secure Boot on UEFI computers. This tool is digitally signed by Microsoft, which is trusted by default on most UEFI motherboards, and is used to verify the next step in the boot process (usually the GRUB2 boot loader).

Shim was designed to enable open-source projects, including various Linux distributions, to take advantage of Secure Boot. These benefits include preventing unauthorized or malicious code execution during boot while maintaining control over the hardware.

The vulnerability in Shim was identified as CVE-2023-40547 and was discovered by Microsoft researcher Bill Demirkapi, who first reported the issue on January 24, 2024.

The bug is in the httpboot.c source code for Shim, which is used to boot a network image over HTTP.

When receiving files via HTTP or similar protocols, a problem was identified in the httpboot.c Shim code: the system tries to allocate a buffer to store the received data. Unfortunately, this uses the size specified in the HTTP header (Content-Length), which can be susceptible to manipulation, which may cause the allocated buffer to be smaller than the actual data received.

As a result, a potential attacker gets the opportunity to conduct an out-of-bounds recording.

Details of this defect were published in early February 2024, but this week Eclypsium published its report to draw more attention to the issue.

The researchers explained that the vulnerability is related to the parsing of HTTP responses in Shim and allows an attacker to create specially crafted HTTP requests that cause out-of-bounds recording. Thus, an attacker can compromise the system by executing privileged code before the OS boots, successfully bypassing the security mechanisms implemented by the kernel and operating system.

Eclypsium warns that the CVE-2023-40547 vulnerability can be exploited in several ways, including local attacks, attacks from adjacent networks, and completely remote attacks. For example, a remote attacker could perform a Man-in-the-Middle attack and intercept HTTP traffic between the victim and the server. A local attacker with sufficient privileges to modify EFI variables or an EFI partition could modify the boot order to launch a vulnerable Shim and execute privileged code without disabling Secure Boot.

Red Hat developers prepared a fix for CVE-2023-40547 back in December 2023, but various Linux distributions that support Secure Boot and use Shim must provide their fixes.

Linux distributions such as Debian, Red Hat, SUSE, and Ubuntu use Shim and have already been issued advisories for the CVE-2023-40547 vulnerability. Linux users are strongly advised to update to the latest version of Shim (15.8), which includes a patch for CVE-2023-40547, as well as five other important issues.

Eclypsium emphasizes that Linux users should also update UEFI Secure Boot DBX to include the hashes of the affected version of Shim and sign the patched version with a valid Microsoft key. It’s worth noting that some Linux distributions even provide GUI tools to perform this update.

While widespread exploitation of this vulnerability is unlikely, it should not be neglected because executing code before the operating system boots is one of the most serious and subtle forms of compromise.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment