Critical shim bug impacts every Linux boot loader signed in the past decade

The maintainers of Shim addressed six vulnerabilities, including a critical flaw that could potentially lead to remote code execution.

The maintainers of ‘shim’ addressed six vulnerabilities with the release of version 15.8. The most severe of these vulnerabilities, tracked as CVE-2023-40547 (CVSS score: 9.8), can lead to remote code execution under specific circumstances.

The vulnerability CVE-2023-40547 is an RCE in http boot support that can lead to Secure Boot bypass

“A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.” reads the advisory.

shim is a small piece of code used by most Linux distributions in the boot process to support Secure Boot.

It is frequently employed when either the bootloader or the operating system kernel lacks a signature recognized by the UEFI firmware. The shim, signed with a key trusted by the firmware, enables the loading and execution of an unsigned bootloader or kernel.

The flaw was discovered by Bill Demirkapi of the Microsoft Security Response Center (MSRC).

“Discovered and reported by Bill Demirkapi at Microsoft’s Security Response Center, this particular vulnerability stems from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.” reads the post published by Eclypsium.

Demirkapi warns that the vulnerability impacts every Linux boot loader signed in the past decade.

Researchers from Eclypsium illustrated the following attack scenarios:

An attacker could execute a Man-in-the-Middle (MiTM) attack to intercept HTTP traffic between the victim and the HTTP server while serving files in support of HTTP boot. This attack could be conducted from any network segment positioned between the victim and the legitimate server.

Additionally, an attacker with sufficient privileges can trigger the issue to manipulate data in the EFI Variables or on the EFI partition, achieved through a live Linux USB stick. The attacker can modify the boot order to load a remote and vulnerable shim on the system, enabling the execution of privileged code from the same remote server without disabling Secure Boot.

In a third attack path, an attacker on the same network can manipulate PXE to chain-load a vulnerable shim bootloader. Exploiting this vulnerability grants the attacker control over the system before the kernel is loaded, providing privileged access and the ability to bypass any controls implemented by the kernel and operating system.

“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system.” states Eclypsium.

Below are the other vulnerabilities in shim fixed by the maintainers:

  • CVE-2023-40546 – Fixes a LogError() invocation (NULL pointer dereference).
  • CVE-2023-40548 – Fixes an integer overflow on SBAT section size on 32-bit systems (heap overflow).
  • CVE-2023-40549 – Fixes an out-of-bounds read when loading a PE binary.
  • CVE-2023-40550 – Fixes an out-of-bounds read when trying to validate the SBAT information.
  • CVE-2023-40551 – Fix bounds check for MZ binaries

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Shim)

文 » A