Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Most Linux Systems Exposed to Complete Compromise via Shim Vulnerability 

A critical remote code execution vulnerability in Shim could allow attackers to take over vulnerable Linux systems.

CVE-2023-40547 Vulnerability

A critical vulnerability in Shim could allow a network attacker to bypass secure boot and take over a vulnerable Linux system.

Shim is a small application containing certificates and code to verify the bootloader, and is used by most Linux distributions during the boot process, to support secure boot.

Identified in Shim’s HTTP protocol handling, the vulnerability leads to an out-of-bounds write, which could be exploited for remote code execution.

The flaw is tracked as CVE-2023-40547 and, according to a NIST advisory, has a CVSS score of 9.8. Red Hat, however, assesses the bug as being ‘high severity’, with a CVSS score of 8.3.

“The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise,” Red Hat’s advisory reads.

An attacker could intercept the HTTP traffic between the victim system and the server delivering files to support the HTTP boot, supply chain risk management firm Eclypsium explains in a technical writeup.

“The attacker could be located on any network segment between the victim and the legitimate server,” the firm says.

A local attacker with enough privileges to modify EFI variables or EFI partition data, such as by using a live Linux USB drive, could change boot order to load a vulnerable shim and execute privileged code without disabling secure boot.

Advertisement. Scroll to continue reading.

According to Eclypsium, an attacker on the same network as the target system could manipulate PXE to chain-load a vulnerable Shim bootloader.

“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system,” Eclypsium notes.

Resolving the vulnerability, the firm explains, requires not only updating Shim to a patched version, but also updating the secure boot chain of trust, by refreshing the UEFI Secure Boot DBX (revocation list).

Five other high- and medium-severity vulnerabilities in Shim were disclosed recently, leading to crashes, denial-of-service (DoS), or leakage of sensitive data during system boot.

Related: Critical Remote Code Execution Vulnerability Patched in Android

Related: GNU C Library Vulnerability Leads to Full Root Access

Related: One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.