In an EFI application named Shim, which is used by most common Linux distributions, a critical vulnerability has been discovered. This vulnerability allows attackers to inject malicious code and gain full control over the targeted system. The flaw, identified as CVE-2023-40547, can be exploited through a specially crafted HTTP request that leads to a controlled out-of-bounds write operation, as described.
Security researchers from Eclypsium emphasize that Shim is critical software in the boot process, utilized by most Linux distributions to support Secure Boot. While Red Hat maintains this application, it is deployed in all distributions supporting Secure Boot, including Debian, Ubuntu, Suse, and others.
The severity of CVE-2023-40547 has been rated as high by Red Hat and as critical by NIST. According to the Eclypsium researchers, the vulnerability can be exploited both locally and remotely. Remote attacks could occur, for example, through a man-in-the-middle attack on the traffic for providing files to support HTTP boot. Local exploitation is also possible, such as by using a bootable USB stick with a Linux live system, allowing the alteration of the boot order to selectively load an attacker’s Shim application, enabling privileged code execution without disabling Secure Boot.
The researchers caution that an attacker exploiting this vulnerability gains control over the system even before the kernel is loaded. This means the attacker has privileged access and can bypass all security checks implemented by the kernel and operating system. This facilitates the installation of bootkits, a type of malware executed before the operating system starts, typically granting extensive access rights.
Although a patch for CVE-2023-40547 is already available, and the issue has been addressed in Shim version 15.8, the researchers stress that the patch alone is insufficient. Additionally, an update of the Chain of Trust for Secure Boot is required. This entails updating the UEFI Secure Boot DBX (blacklist) to include the hashes of the vulnerable Shim software, as explained in the Eclypsium report.
The order of operations is crucial. Users must first update Shim and then apply the DBX update. The latter can be performed, for instance, using the fwupd tool by employing the “fwupdmgr update” command.