Shim maintainers have released version 15.8 to address six security flaws, including a critical bug that could pave the way for remote code execution under specific circumstances.
Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) was credited with discovering and reporting the bug.
“The shim’s http boot support (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, leading to a fully controlled out-of-bounds write primitive,” Oracle’s Alan Coopersmith noted in a message shared on the Open Source Security mailing list OSS-security.
Demirkapi, in a send shared on X (formerly Twitter) late last month, it said the vulnerability “exists in every Linux boot loader signed in the last decade.”
shim refers to a “trivial” software package designed to function as a first-stage boot loader on Unified Extensible Firmware Interface (UEFI) systems.
Firmware security firm Eclypsium said CVE-2023-40547 “stems from handling of the HTTP protocol, leading to an out-of-bounds write that can lead to complete system compromise.”
In a hypothetical attack scenario, a threat actor on the same network could exploit the flaw to load a vulnerable shim boot loader or a local adversary with appropriate privileges to manipulate data on the EFI partition.
“An attacker could perform a Man-in-the-Middle (MiTM) attack and intercept HTTP traffic between the victim and the HTTP server used to serve files to support HTTP boot,” the company added. “The attacker could be on any network segment between the victim and the legitimate server.”
That said, gaining the ability to execute code during the boot process – which occurs before the main operating system boots – grants the attacker carte blanche to deploy stealthy bootkits that can give near-total control over the compromised host .
The other five vulnerabilities fixed in shim 15.8 are listed below:
- CVE-2023-40546 (CVSS Score: 5.3) – Read out of bounds when printing error messages, resulting in a denial of service (DoS) condition
- CVE-2023-40548 (CVSS Score: 7.4) – Buffer overflow in the shim when compiled for 32-bit processors which can lead to a crash or data integrity issues during the boot phase
- CVE-2023-40549 (CVSS Score: 5.5) – Out of bounds read in the authenticode function which could allow an attacker to trigger a denial of service by providing an invalid binary code
- CVE-2023-40550 (CVSS Score: 5.5) – Read out of bounds while validating Secure Boot Advanced Targeting (SBAT) information which may result in information disclosure
- CVE-2023-40551 (CVSS Score: 7.1) – Read out of bounds when parsing MZ binaries, resulting in crash or possible exposure of sensitive data
“An attacker who exploits this vulnerability gains control of the system before the kernel is loaded, meaning they have privileged access and the ability to bypass any controls implemented by the kernel and operating system,” Eclypsium noted.