RedHat has released version 15.8 of the Linux shim bootloader to address a critical vulnerability, CVE-2023-40547 [1] [2] [3] [4] [5] [6] [7] [8] [9], which allows for remote code execution and a Secure Boot bypass [6] [9]. This vulnerability affects all Linux boot loaders signed in the past decade and poses a significant threat to a wide range of devices and systems, including IoT and OT systems [2].
Description
The recently discovered vulnerability, CVE-2023-40547 [1] [2] [3] [4] [5] [6] [7] [8] [9], was found by Bill Demirkapi of the Microsoft Security Response Center [1] [4] [6] [9]. It has a CVSS score of 9.8 and occurs in the http boot support of Shim. By crafting a malicious HTTP request [1] [7], an attacker can exploit this vulnerability to execute remote code and compromise the entire system. This can be achieved through controlled out-of-bounds write. The vulnerability can be exploited in various attack scenarios, such as Man-in-the-Middle attacks [1] [7] [8], manipulation of EFI Variables or the EFI partition [1], and manipulation of PXE to chain-load a vulnerable shim bootloader [1].
In addition to CVE-2023-40547, version 15.8 of shim also addresses five other medium-severity vulnerabilities: CVE-2023-40546, CVE-2023-40548 [1] [2] [3] [4] [5] [6] [7] [8] [9], CVE-2023-40549 [1] [2] [3] [4] [5] [6] [7] [8] [9], CVE-2023-40550 [1] [2] [3] [4] [5] [6] [7] [8] [9], and CVE-2023-40551 [1] [2] [4] [5] [6] [7] [8] [9]. These vulnerabilities have been fixed in the latest release.
Conclusion
The critical nature of CVE-2023-40547 raises concerns, as it can be exploited across a wide range of devices and systems [2], including IoT and OT systems [2]. Mitigating and remediating this vulnerability is challenging due to its early stage in the boot process and root access to various services. Organizations with large IoT/OT deployments should prioritize patching and consider implementing application-based IoT discovery and automated remediation solutions [2].
Linux administrators should update to the latest version of shim [2], specifically version 15.8, to prevent potential damage [2]. While no exploits of this vulnerability have been reported, it is crucial to stay proactive in ensuring system security. The upstream fix for CVE-2023-40547 is available on GitHub.
References
[1] https://securityaffairs.com/158792/hacking/critical-shim-bug-linux.html
[2] https://www.scmagazine.com/news/redhat-patches-critical-flaw-in-linux-shim-bootloader
[3] https://cybersecuritynews.com/linux-shim-bootloader-flaw/
[4] https://www.darkreading.com/vulnerabilities-threats/rce-vulnerability-in-shim-bootloader-impacts-all-linux-distros
[5] https://arstechnica.com/security/2024/02/critical-vulnerability-affecting-most-linux-distros-allows-for-bootkits/
[6] https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html
[7] https://nvd.nist.gov/vuln/detail/CVE-2023-40547?trk=publicpostcomment-text
[8] https://www.itnews.com.au/news/bootloader-bug-exposes-linux-secure-boot-604858
[9] https://www.redpacketsecurity.com/critical-bootloader-vulnerability-in-shim-impacts-nearly-all-linux-distros/
