Qualys Security Advisory
Shim is a crucial software most Linux distributions use in the boot process to support Secure Boot. At the start of the month, Bill Demirkapi of the Microsoft Security Response Center (MSRC) discovered a critical severity vulnerability impacting the software. Tracked as CVE-2023-40547, the vulnerability could lead to remote code execution, crash, denial of service, and exposure of sensitive data under specific circumstances.
Shim has also addressed five vulnerabilities with the latest version.
- CVE-2023-40546 – An out-of-bounds read vulnerability when printing error messages. Successful exploitation of the vulnerability may result in a denial-of-service (DoS) condition.
- CVE-2023-40548 – A buffer overflow vulnerability in shim when compiled for 32-bit processors. Successful exploitation may lead to a crash or data integrity issues during the boot phase.
- CVE-2023-40549 – An out-of-bounds read vulnerability in the authenticode function. An attacker may exploit the vulnerability to trigger a DoS condition by providing a malformed binary.
- CVE-2023-40550 – An out-of-bounds read vulnerability when validating Secure Boot Advanced Targeting (SBAT) information that could result in information disclosure.
- CVE-2023-40551 – An out-of-bounds read vulnerability when parsing MZ binaries, leading to a crash or possible exposure of sensitive data.
Shim is the bridge between modern PCs and servers’ Unified Extensible Firmware Interface (UEFI) Secure Boot and Linux. Shim contains the vendor’s certificate and code that verifies and runs the bootloader (typically GRUB2). The vendor’s shim is verified using the Microsoft 3rd Party UEFI CA, and then the shim loads and verifies the GRUB2 bootloader using the vendor certificate embedded inside itself.
Vulnerability Details (CVE-2023-40547)
The vulnerability originates from HTTP protocol handling.
There are a few ways in which an attacker may exploit the vulnerability:
- Using a Man-in-the-Middle (MitM) attack, an attacker might intercept HTTP traffic going back and forth between the victim and the HTTP server serving files to enable HTTP boot. The attacker could be between the victim and the authentic server on any network segment.
- A local attacker with enough privileges may exploit the vulnerability to manipulate data in the EFI Variables or the EFI partition.
- An attacker on the same network as the victim can manipulate PXE to chain-load a vulnerable shim bootloader.
The vulnerabilities affect all Linux distributions that support Secure Boot.
Customers are advised to upgrade to Shim version 15.8 or later to patch the vulnerabilities.
Please refer to the GitHub Advisory for more information.
Qualys customers can scan their devices with QID 379359 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.