Critical Shim Bootloader Flaw Leaves All Linux Distro Vulnerable

A critical vulnerability in the Shim Linux bootloader has been discovered, enabling attackers to execute code and take control of a target system before the kernel is loaded, bypassing existing security mechanisms. 

The flaw, tracked as CVE-2023-40547, affects Shim, a small open-source bootloader maintained by Red Hat, designed to facilitate the Secure Boot process on computers using Unified Extensible Firmware Interface (UEFI).

Shim was created to allow open-source projects such as Linux distributions to benefit from Secure Boot's advantages while maintaining control over hardware. However, the recently discovered flaw in Shim's parsing of HTTP responses allows an attacker to create specially crafted HTTP requests to cause an out-of-bounds write, potentially compromising a system by executing privileged code before the operating system loads.

The vulnerability was discovered by Microsoft's security researcher Bill Demirkapi, who first disclosed it on January 24, 2024. More details about the flaw became available on February 2, 2024, with Eclypsium publishing a report to draw attention to this security problem.

According to Eclypsium, multiple potential exploitation paths can leverage CVE-2023-40547, including local, network adjacent, and remote attack points. The report highlights three potential methods:

• Remote Attack: A remote attacker can execute a man-in-the-middle (MiTM) attack, intercepting HTTP traffic for HTTP boot, potentially from any network position between the victim and the server.
• Local Attack: A local attacker with sufficient privileges can modify EFI Variables or the EFI partition using a live Linux USB to alter the boot order and load a compromised shim, executing privileged code without disabling Secure Boot.
• Network Attack: An attacker on the same network can use PXE to load a compromised shim bootloader, exploiting the vulnerability.

The impact of this vulnerability is significant, as executing code before OS boot is one of the strongest and stealthiest forms of system compromise. RedHat issued a code commit to fix CVE-2023-40547 on December 5, 2023, but Linux distributions supporting Secure Boot and using Shim need to push their own patches.

Linux distributions that utilize Shim, such as Red Hat, Debian, Ubuntu, and SUSE, have released advisories with information on the flaw. Linux users are advised to update to the latest version of Shim, v15.8, which contains a fix for CVE-2023-40547 and five other important vulnerabilities.

Eclypsium explains that Linux users must also update the UEFI Secure Boot DBX (revocation list) to include the hashes of the vulnerable Shim software and sign the patched version with a valid Microsoft key. To do that, first, upgrade to Shim 15.8 and then apply the DBX update using the 'fwupdmgr update' command (needs fwupd). Some Linux distributions offer a GUI tool to perform this update, so make sure to check on your package manager before delving into the terminal.

fwupdmgr update (image:Eclypsium)

The five other vulnerabilities fixed in shim version 15.8 are:

• CVE-2023-40546 (CVSS score: 5.3) - Out-of-bounds read when printing error messages, resulting in a denial-of-service (DoS) condition
• CVE-2023-40548 (CVSS score: 7.4) - Buffer overflow in shim when compiled for 32-bit processors that can lead to a crash or data integrity issues during the boot phase
• CVE-2023-40549 (CVSS score: 5.5) - Out-of-bounds read in the Authenticode function that could permit an attacker to trigger a DoS by providing a malformed binary
• CVE-2023-40550 (CVSS score: 5.5) - Out-of-bounds read when validating Secure Boot Advanced Targeting (SBAT) information that could result in information disclosure
• CVE-2023-40551 (CVSS score: 7.1) - Out-of-bounds read when parsing MZ binaries, leading to a crash or possible exposure of sensitive data

While the vulnerability is unlikely to be mass-exploited, it should not be ignored, as executing code before OS boot is one of the strongest and stealthiest forms of system compromise.

Linux users are strongly advised to update their systems to the latest version of Shim and apply the necessary UEFI Secure Boot DBX updates to mitigate the risk posed by this critical vulnerability.