Security researchers have uncovered a critical vulnerability in Shim, a commonly used Linux bootloader. This flaw has the potential to enable attackers to execute malicious code and take control of target systems even before the kernel is loaded. Given its ability to bypass standard security measures typically enforced by the kernel and operating system, this vulnerability poses significant concerns.
WHAT IS A SHIM BOOTLOADER?
Shim functions as a critical, open-source bootloader essential for enabling the Secure Boot process on computers utilizing the Unified Extensible Firmware Interface (UEFI). Signed with a Microsoft key widely recognized by UEFI motherboards, Shim verifies the integrity of the boot process.
Discovered by Microsoft’s Bill Demirkapi, the vulnerability lies in Shim’s management of HTTP boot operations, permitting out-of-bounds write operations via manipulated HTTP responses.
SHIM RCE VULNERABILITY UNCOVERED
Exploiting CVE-2023-40547 (CVSS score: 9.8) entails crafting specific HTTP requests that trigger an out-of-bounds write. This vulnerability can be exploited in multiple scenarios, including remote code execution, network-adjacent attacks, and local attacks. For example, a remote attacker might intercept HTTP boot traffic via a Man-in-the-Middle attack, while a local attacker could manipulate EFI variables or utilize a live Linux USB. These actions could disrupt the boot process and enable the execution of privileged code.
The capacity to execute code prior to the operating system’s initialization poses a substantial threat, enabling attackers to deploy stealthy bootkits that compromise system security. This elevated access empowers attackers to circumvent conventional security measures and establish persistent, undetectable footholds on the compromised system.
RED HAT FIXES SHIM RCE FLAW
To mitigate this vulnerability, RedHat released a patch on December 5, 2023. Users of Shim, including major Linux distributions like Red Hat, Debian, Ubuntu, and SUSE, are strongly advised to upgrade to the latest version of Shim (v15.8), which resolves CVE-2023-40547 and other vulnerabilities. Furthermore, users should update the UEFI Secure Boot DBX (revocation list) to prevent the execution of vulnerable Shim versions and ensure that the patched version is signed with a valid Microsoft key.
Linux is increasingly becoming a prime target for various malware families. While it has long been a staple in APT attacks due to its prevalence in server infrastructure, the emergence of Linux malware in forms such as ransomware, spyware, and rootkits is a concerning trend. Vulnerabilities like the one described above should not be taken lightly, as they are likely to be exploited sooner or later.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment