The maintainers of shim have introduced version 15.8 to tackle 6 security flaws, including a critical bug that could pave the way for remote code execution under particular instances.
Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to accomplish a Safe Boot bypass. Invoice Demirkapi of the Microsoft Security Reaction Center (MSRC) has been credited with discovering and reporting the bug.
“The shim’s http boot help (httpboot.c) trusts attacker-controlled values when parsing an HTTP reaction, foremost to a totally managed out-of-bounds compose primitive,” Oracle’s Alan Coopersmith famous in a message shared on the Open up Resource Security mailing checklist oss-security.
Demirkapi, in a submit shared on X (formerly Twitter) late very last month, mentioned the vulnerability “exists in each and every Linux boot loader signed in the previous ten years.”
shim refers to a “trivial” software deal that’s created to operate as a first-phase boot loader on Unified Extensible Firmware Interface (UEFI) systems.
Firmware security company Eclypsium mentioned CVE-2023-40547 “stems from HTTP protocol dealing with, foremost to an out-of-bounds create that can guide to total procedure compromise.”
In a hypothetical attack scenario, a threat actor on the exact network could leverage the flaw to load a vulnerable shim boot loader, or by a community adversary with adequate privileges to manipulate details on the EFI partition.
“An attacker could complete a MiTM (Male-in-the-Middle) attack and intercept HTTP targeted traffic concerning the victim and the HTTP server applied to serve documents to support HTTP boot,” the company included. “The attacker could be located on any network phase between the victim and the legitimate server.”
That said, obtaining the means to execute code for the duration of the boot method – which takes place in advance of the most important operating program starts off – grants the attacker carte blanche access to deploy stealthy bootkits that can give around-whole control about the compromised host.
The 5 other vulnerabilities fixed in shim variation 15.8 are under –
- CVE-2023-40546 (CVSS rating: 5.3) – Out-of-bounds examine when printing error messages, resulting in a denial-of-support (DoS) problem
- CVE-2023-40548 (CVSS score: 7.4) – Buffer overflow in shim when compiled for 32-bit processors that can guide to a crash or knowledge integrity issues in the course of the boot period
- CVE-2023-40549 (CVSS score: 5.5) – Out-of-bounds examine in the authenticode operate that could permit an attacker to trigger a DoS by supplying a malformed binary
- CVE-2023-40550 (CVSS rating: 5.5) – Out-of-bounds study when validating Safe Boot Innovative Focusing on (SBAT) details that could outcome in details disclosure
- CVE-2023-40551 (CVSS rating: 7.1) – Out-of-bounds go through when parsing MZ binaries, main to a crash or doable publicity of delicate data
“An attacker exploiting this vulnerability gains manage of the technique right before the kernel is loaded, which signifies they have privileged access and the means to circumvent any controls applied by the kernel and operating procedure,” Eclypsium pointed out.
Located this short article intriguing? Adhere to us on Twitter and LinkedIn to read extra distinctive content we write-up.
Some elements of this post are sourced from: