If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently the news broke that A remote execution vulnerability was discovered in the layer Shim, which is widely used in most Linux distributions for verified boot in UEFI secure boot mode.
The vulnerability, already cataloged under "CVE-2023-40547" and evaluated with a score of 8.3 on the CVSS scale, poses significant risks, including the possibility of remote code execution and the omission of Linux's secure boot mechanism.
The vulnerability lies in a defect in the code for downloading files over HTTP, allowing incorrect responses generated by the HTTP server accessed by Shim to be processed. This bug can be exploited by an attacker controlling the HTTP server to return a crafted response, which would result in a controlled write to an out-of-bounds buffer and allow code execution during the early stages of the loading process.
The essence of the vulnerability lies in the HTTPBoot mode in Shim that allows file downloads over HTTP, which to recover a file with a loader which is called in the next step of the boot process.
When downloading files over HTTP, Shim allocates a buffer for the received data, based on the size specified in the "Content-Length" HTTP header. However, The problem arises when a smaller value is received in the Content-Length header, which leads to the end of the request being written to memory outside the allocated buffer boundary, thus generating the vulnerability.
To mitigate the vulnerability without resorting to revoking the digital signature, it is mentioned that the SBAT mechanism can be used, which is compatible with GRUB2, shim and fwupd in the most used Linux distributions.
Developed in collaboration with Microsoft, SBAT involves adding additional metadata to UEFI component executable files, such as manufacturer, product, component, and version information. This specified metadata is certified with a digital signature and can be independently included in lists of allowed or prohibited components for UEFI Secure Boot.
It should be mentioned that heThe vulnerability was already fixed in the release of Shim 15.8However, to ensure complete protection against attacks via Shim, It is necessary that the new version be certified by Microsoft and is implemented in Linux distributions.
Although the problem is that without revoking the signature of the previous version, the solution does not make sense, since an attacker could use a boot device with a vulnerable version of Shim to compromise UEFI secure boot. But revoking the signature will make it impossible to verify the boot of distributions that continue to use the previous version of Shim.
Finally, it is worth mentioning that, in addition to addressing the main vulnerability mentioned above, Shim 15.8 also resolves several security issues less critical that can be exploited locally. These security issues were identified with the following CVE identifiers:
- CVE-2023-40548: This issue involves an integer overflow in the verify_sbat_section function, which can cause a buffer overflow on 32-bit systems.
- CVE-2023-40546: An out-of-bounds memory read occurs when reporting error messages through the LogError() function.
- CVE-2023-40549: Another out-of-bounds memory read occurs when processing a specially crafted PE file in the verify_buffer_authenticode() function.
- CVE-2023-40550: Involves a memory read out of the buffer in the verify_buffer_sbat() function.
- CVE-2023-40551: An out-of-bounds memory read occurs when parsing MZ files.
This vulnerability highlights the importance of addressing weaknesses in the implementation of security protocols, particularly in critical systems such as the secure boot process in Linux distributions.
Last but not least, as we always do, we recommend that users apply the relevant patches and updates to mitigate the risks associated with this vulnerability and protect their systems against possible attacks.
If you are interested in knowing more about it, you can check the details In the following link.