Most Linux Systems Exposed to Complete Compromise via Shim Vulnerability
A critical vulnerability in Shim could allow a network attacker to bypass secure boot and take over a vulnerable Linux system.
Shim is a small application containing certificates and code to verify the bootloader, and is used by most Linux distributions during the boot process, to support secure boot.
Identified in Shim’s HTTP protocol handling, the vulnerability leads to an out-of-bounds write, which could be exploited for remote code execution.
The flaw is tracked as CVE-2023-40547 and, according to a NIST advisory, has a CVSS score of 9.8. Red Hat, however, assesses the bug as being ‘high severity’, with a CVSS score of 8.3.
“The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise,” Red Hat’s advisory reads.
An attacker could intercept the HTTP traffic between the victim system and the server delivering files to support the HTTP boot, supply chain risk management firm Eclypsium explains in a technical writeup.
“The attacker could be located on any network segment between the victim and the legitimate server,” the firm says.
A local attacker with enough privileges to modify EFI variables or EFI partition data, such as by using a live Linux USB drive, could change boot order to load a vulnerable shim and execute privileged code without disabling secure boot.
According to Eclypsium, an attacker on the same network as the target system could manipulate PXE to chain-load a vulnerable Shim bootloader.
“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system,” Eclypsium notes.
Resolving the vulnerability, the firm explains, requires not only updating Shim to a patched version, but also updating the secure boot chain of trust, by refreshing the UEFI Secure Boot DBX (revocation list).
Five other high- and medium-severity vulnerabilities in Shim were disclosed recently, leading to crashes, denial-of-service (DoS), or leakage of sensitive data during system boot.
Share This Story, Choose Your Platform!
About the Author: Patriotman
2 Comments
Comments are closed.
GUNS N GEAR
The vast majority (+/- 95%) of Linux distros do not want, or need to use secure boot. The primary users of secure boot is in the business and government sector. Secure boot receives updates from vendors, primarily Microsoft. But others can update secure boot, and therefore your BIOS like Canonical (Unbuntu), RHEL (Fedora) and potentially others.
The whole concept and need for the Secure Boot and other BIOS security firmware is highly contested. If you want a a little more insight into Secure boot, I strongly suggest Reading this Q and A from Stackexchange. https://security.stackexchange.com/questions/271450/what-does-secure-boot-protect-against
Knowledge is power.
The real truth is, 95% of all Linux distros do not need, accept or recommend the use of Secure Boot at this time. The main distros that will use it right out of the box are, openSUSE, Canonical (Unbuntu) and RHEL (Fedora). However these are all Corporate back or developed distros. So no big surprise there.
If you really want / need secure boot, there are instructions on various distribution’s blogs and/or wiki’s on how to activate it with a specific distro.