Title: Critical Vulnerabilities Found in Shim Bootloader Pose Serious Threat to Linux Distributions
Introduction:
Shim, a small application commonly used by open-source projects and third parties to verify and run GRUB2 bootloader, has become an integral part of secure boot support for many Linux distributions. However, recent discoveries have exposed a new vulnerability related to out-of-bounds HTTP protocol handling. This flaw, assigned CVE-2023-40547 with a severity rating of 9.8 (Critical), could potentially allow threat actors to completely compromise a victim’s machine.
Details of the Vulnerabilities:
In addition to the critical vulnerability, five other vulnerabilities were identified, with varying severity levels:
1. CVE-2023-40546 – LogError() invocation leads to NULL pointer dereference. Severity – 6.2 (Medium).
2. CVE-2023-40548 – Integer overflow on SBAT section size primarily affecting 32-bit systems, resulting in a heap overflow. Severity – 7.4 (High).
3. CVE-2023-40549 – Out-of-bounds read when loading a PE binary. Severity – 6.2 (Medium).
4. CVE-2023-40550 – Out-of-bounds read when validating the SBAT information. Severity – 5.5 (Medium).
5. CVE-2023-40551 – Out-of-bounds in MZ binaries. Severity – 5.1 (Medium).
Potential Exploitation Scenarios:
According to Eclypsium, several attack vectors could be employed to exploit these vulnerabilities:
1. Attack Vector 1: Man-in-the-Middle (MiTM) attack. A threat actor can intercept HTTP traffic between the victim and the HTTP server used for the HTTP boot, regardless of their location within the network segment.
2. Attack Vector 2: Manipulation of EFI variables. An attacker with sufficient privileges can manipulate data within EFI variables or on the EFI partition using a live Linux USB stick. This allows the boot order to be changed to a vulnerable Shim version, enabling the execution of arbitrary code from a remote server without disabling secure boot.
3. Attack Vector 3: Exploiting PXE (Preboot Execution Environment). A threat actor can manipulate PXE to load a vulnerable Shim bootloader, granting control over the system. As this attack occurs before the kernel is loaded, the threat actor gains privileged access, potentially bypassing kernel and OS controls.
Conclusion:
The discovery of critical vulnerabilities in the Shim bootloader, widely used by Linux distributions for secure boot support, poses a serious threat to the security of these systems. Users are advised to stay informed about these vulnerabilities and take necessary measures to mitigate these risks.
