A critical vulnerability in Shim could allow a network attacker to bypass secure boot and take over a vulnerable Linux system.
Shim is a small application containing certificates and code to verify the bootloader, and is used by most Linux distributions during the boot process, to support secure boot.
Identified in Shim’s HTTP protocol handling, the vulnerability leads to an out-of-bounds write, which could be exploited for remote code execution.
The flaw is tracked as CVE-2023-40547 and, according to a NIST advisory, has a CVSS score of 9.8. Red Hat, however, assesses the bug as being ‘high severity’, with a CVSS score of 8.3.
“The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise,” Red Hat’s advisory reads.
An attacker could intercept the HTTP traffic between the victim system and the server delivering files to support the HTTP boot, supply chain risk management firm Eclypsium explains in a technical writeup.
“The attacker could be located on any network segment between the victim and the legitimate server,” the firm says.
A local attacker with enough privileges to modify EFI variables or EFI partition data, such as by using a live Linux USB drive, could change boot order to load a vulnerable shim and execute privileged code without disabling secure boot.
According to Eclypsium, an attacker on the same network as the target system could manipulate PXE to chain-load a vulnerable Shim bootloader.
“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system,” Eclypsium notes.
Resolving the vulnerability, the firm explains, requires not only updating Shim to a patched version, but also updating the secure boot chain of trust, by refreshing the UEFI Secure Boot DBX (revocation list).
Five other high- and medium-severity vulnerabilities in Shim were disclosed recently, leading to crashes, denial-of-service (DoS), or leakage of sensitive data during system boot.
Related: Critical Remote Code Execution Vulnerability Patched in Android
Related: GNU C Library Vulnerability Leads to Full Root Access
Related: One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems
