Linux developers have addressed a new security flaw discovered in Shim, a component crucial for the boot process in Linux-based systems.
This vulnerability poses a significant risk by allowing the installation of malware that operates at the firmware level (secure boot bypass), presenting challenges for detection and removal.
Tracked as CVE-2023-40547, the flaw has been CVSS rated as “9.8 Critical” by NIST and “8.3 High” by Red Hat, indicating its severity.
“There is a difference in how NVD and vendors evaluate the sensitivity of the vulnerability. Red Hat, for instance, argues in their CVSSV3 score that the attack is high complexity and through an adjacent network vector,” explained Balazs Greksza, threat response lead at Ontinue.
“NVD thinks it’s low complexity and through a direct network. The servers actually exploitable through CVE-2023-40547 need to be configured to use HTTPBoot. The attacker must know which HTTP Server is used to serve the malicious firmware for using HTTPBoot.”
Shim functions as a critical element in the early boot phase before the operating system initializes and has been found vulnerable to remote code execution. The flaw arises from the component’s trust in attacker-controlled values during HTTP response parsing.
This weakness enables threat actors to craft malicious HTTP requests, ultimately leading to a complete system compromise through controlled out-of-bounds write operations. Notably, exploitation of this vulnerability necessitates either a Man-in-the-Middle attack or compromise of the boot server, limiting its accessibility to attackers.
“The bar to leverage this is high,” commented Lionel Litty, chief security architect at Menlo Security. “What stands out here is that this is a particularly insidious one [vulnerability] that goes to the core of the startup sequence, right after the firmware is loaded. If you use network boot or if you operate in a high-security environment that leverages secure boot to measure your devices, you should be paying attention.”
The urgency to address this critical issue prompted the release of Shim version 15.8 by its maintainers. This update not only patches the aforementioned vulnerability but also addresses five additional security flaws.
The bug discovery and reporting have been credited to Bill Demirkapi from the Microsoft Security Response Center (MSRC).