The maintainers of shim have launched model 15.8 to deal with six safety flaws, together with a crucial bug that would pave the best way for distant code execution below particular circumstances.
Tracked as CVE-2023-40547 (CVSS rating: 9.8), the vulnerability might be exploited to attain a Safe Boot bypass. Invoice Demirkapi of the Microsoft Safety Response Middle (MSRC) has been credited with discovering and reporting the bug.
“The shim’s http boot assist (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, resulting in a totally managed out-of-bounds write primitive,” Oracle’s Alan Coopersmith famous in a message shared on the Open Supply Safety mailing checklist oss-security.
Demirkapi, in a put up shared on X (previously Twitter) late final month, mentioned the vulnerability “exists in each Linux boot loader signed prior to now decade.”
shim refers to a “trivial” software program bundle that is designed to work as a first-stage boot loader on Unified Extensible Firmware Interface (UEFI) programs.
Firmware safety agency Eclypsium mentioned CVE-2023-40547 “stems from HTTP protocol dealing with, resulting in an out-of-bounds write that may result in full system compromise.”
In a hypothetical assault situation, a menace actor on the identical community may leverage the flaw to load a weak shim boot loader, or by an area adversary with sufficient privileges to govern knowledge on the EFI partition.
“An attacker may carry out a MiTM (Man-in-the-Center) assault and intercept HTTP visitors between the sufferer and the HTTP server used to serve information to assist HTTP boot,” the corporate added. “The attacker might be situated on any community phase between the sufferer and the reliable server.”
That mentioned, acquiring the power to execute code in the course of the boot course of – which happens earlier than the primary working system begins – grants the attacker carte blanche entry to deploy stealthy bootkits that may give near-total management over the compromised host.
The 5 different vulnerabilities fastened in shim model 15.8 are under –
- CVE-2023-40546 (CVSS rating: 5.3) – Out-of-bounds learn when printing error messages, leading to a denial-of-service (DoS) situation
- CVE-2023-40548 (CVSS rating: 7.4) – Buffer overflow in shim when compiled for 32-bit processors that may result in a crash or knowledge integrity points in the course of the boot part
- CVE-2023-40549 (CVSS rating: 5.5) – Out-of-bounds learn within the authenticode perform that would allow an attacker to set off a DoS by offering a malformed binary
- CVE-2023-40550 (CVSS rating: 5.5) – Out-of-bounds learn when validating Safe Boot Superior Concentrating on (SBAT) data that would end in data disclosure
- CVE-2023-40551 (CVSS rating: 7.1) – Out-of-bounds learn when parsing MZ binaries, resulting in a crash or doable publicity of delicate knowledge
“An attacker exploiting this vulnerability good points management of the system earlier than the kernel is loaded, which implies they’ve privileged entry and the power to bypass any controls applied by the kernel and working system,” Eclypsium famous.
