Photo by Jivacore/Shutterstock.com
A significant vulnerability tracked as CVE-2023-40547 with a CVSS score of 9.8 (critical) has been discovered in the Secure Boot process, which is widely used by Linux distributions. This flaw affects the shim software, a component in the boot process that allows attackers to execute an out-of-bounds write, leading to potential system compromise.
Cybersecurity researcher Bill Demirkapi at Microsoft’s Security Response Center uncovered the vulnerability.
Shim, a small application developed to address license incompatibility issues, plays a vital role in the Secure Boot process for Linus distributions. It contains the vendor’s certificate and code to verify and run the bootloader, typically GRUB2. The vendor’s shim is validated using the Microsoft 3rd Pary UEFI CA, after which it loads and verifies the GRUB2 bootloader using the embedded vendor certificate.
Red Hat, the maintainer of the shim software for most Linux distributions, addressed the issue with a code commit on December 5, 2023. While the initial fix may seem specific to Red Hat, the vulnerability extends its impact to all Linux distributions supporting Secure Boot.
Notable distributions include Debian, Ubuntu, and SUSE, among others. The distributions have initiated responses to address the threat. Additionally, five other medium-severity vulnerabilities have been disclosed in the shim, addressing issues such as NULL pointer dereference, integer overflow, out-of-bounds reads, and bounds checks for various processes.
- CVE-2023-40546: NULL point dereference
- CVE-2023-40548: Integer overflow flaw
- CVE-2023-40549: Out-of-bounds reads flaw
- CVE-2023-40550: Out-of-bounds reads flaw
- CVE-2023-40551: Bounds check for MZ binaries
The CVE-2023-40547 exposes multiple attack paths, including Man-in-the-Middle attacks on HTTP traffic, local exploitation through EFI Variables manipulation, and network-based attacks using PXE to chain-load a vulnerable shim bootloader.
By exploiting CVE-2023-40547, attackers can gain privileged access before the kernel loads, enabling them to circumvent controls implemented by the operation.
Researchers urged users to update the UEFI Secure Boot chain of trust to mitigate this vulnerability. This involves updating the UEFI Secure Boot DBX (revocation list) to include the vulnerable shim’s hashes and signing new patched versions with the Microsoft 3rd Party CA.
Utilising tools like fwupd on Linux systems can streamline the process of updating.
In December, it was reported that a novel NKAbuse malware was targeting Linux and IoT devices. On December 7, researchers revealed a critical Bluetooth HID flaw affecting Linux, iOS, Mac and Android devices.