CyberSecurityBoard
Sponsor Register Login

CVSS 9.8 Bootkit Bug in shim.efi

A Microsoft researcher found it-and it's somehow Microsoft's fault.
A critical vulnerability in most Linux distributions now has a patch ready.
Enterprise users especially need this if booting using HTTP or PXE. So go get it.
In today's SB Blogwatch, we patch shim and update the DBX. Your humble blogwatcher curated these bloggy bits for your enter­tainment.
It] could prove useful if an attacker has already gained some level of access inside a network and is looking to take control of connected end-user devices.
The vulnerability resides in shim  a small component that runs  early in the boot process before the operating system has started.
It] resides in a part of the shim that processes booting up from a central server on a network using  HTTP.The ability to execute code during the boot process  constitutes a major escalation of whatever access an attacker already has.
It means the attacker can neutralize many forms of endpoint protection.
Shim is a small open-source bootloader maintained by Red Hat that is designed to facilitate the Secure Boot process on computers using Unified Extensible Firmware Interface.
Linux users are advised to update to the latest version of Shim, v15.8, which contains a fix for CVE-2023-40547 and five other important vulnerabilities.
Although unlikely to be mass-exploited, [it] is not a bug that should be ignored, as executing code before OS boot is one of the strongest and stealthiest forms of system compromise.
While on the surface this may look like an issue only affecting Red Hat  this vulnerability impacts all Linux distributions that support Secure Boot  including Debian, Ubuntu, SUSE, and others.
Alongside updating to the new shim version containing the patch  the Secure Boot chain of trust must [also] be updated.
This means the UEFI Secure Boot DBX must be updated to include the hashes of the vulnerable shim software.
It's] a piece of code that is jointly-terrible-a bad compromise forced on the Linux community by Intel/Microsoft through the UEFI architecture  (Secure Boot).
If an organization is so behind the times that they're still deploying boot images over an unencrypted HTTP server, then it's fairly likely that they also won't  have the ability to deal with these current issues either.
A common misconception I've seen is that this only affects you if you use HTTP boot.
If that were true, this wouldn't be a Critical bug.
Literally almost ground zero for the whole chain of trust when it comes to booting with secure boot.2.
Networks are big and scary places, and once you break the secure boot process, you can make it load binaries from across the globe over simple http.


This Cyber News was published on securityboulevard.com. Publication date: Thu, 08 Feb 2024 17:43:04 +0000


Cyber News related to CVSS 9.8 Bootkit Bug in shim.efi

Shim Bug Uncovered: A Ten-Year Security Breach in Linux Boot Loaders - In the dynamic realm of cybersecurity, discovering a significant flaw in every Linux boot loader signed in the past decade has underscored the pervasive nature of potential threats. This blog explores the intricacies of the Shim bug, its implications ...
10 months ago Cysecurity.news
CVSS 9.8 Bootkit Bug in shim.efi - A Microsoft researcher found it-and it's somehow Microsoft's fault. A critical vulnerability in most Linux distributions now has a patch ready. Enterprise users especially need this if booting using HTTP or PXE. So go get it. In today's SB Blogwatch, ...
10 months ago Securityboulevard.com
Chromebook SH1MMER exploit promises admin jailbreak The Register - Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER. SH1MMER - you may pronounce the "1" as an "i" - is a shim exploit, or more specifically, ...
1 year ago Packetstormsecurity.com
CVE-2022-48769 - In the Linux kernel, the following vulnerability has been resolved: efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Aditya reports [0] that his recent MacbookPro crashes in the firmware when using the variable services at runtime. ...
6 months ago Tenable.com
Linux Distros Hit by RCE Vulnerability in Shim Bootloader - Linux shim, a small piece of code that many major Linux distros use during the secure boot process, has a remote code execution vulnerability in it that gives attackers a way to take complete control of affected systems. All Linux distributions that ...
10 months ago Darkreading.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
9 months ago Cisa.gov
CVE-2024-35803 - In the Linux kernel, the following vulnerability has been resolved: x86/efistub: Call mixed mode boot services on the firmware's stack Normally, the EFI stub calls into the EFI boot services using the stack that was live when the stub was entered. ...
7 months ago Tenable.com
CVE-2022-49004 - In the Linux kernel, the following vulnerability has been resolved: riscv: Sync efi page table's kernel mappings before switching The EFI page table is initially created as a copy of the kernel page table. With VMAP_STACK enabled, kernel stacks are ...
2 months ago Tenable.com
UEFI exploit 'worse than BlackLotus' pwns PCs using images The Register - Hundreds of consumer and enterprise devices are potentially vulnerable to bootkit exploits through unsecured BIOS image parsers. Security researchers have identified vulnerabilities in UEFI system firmware from major vendors which they say could ...
1 year ago Go.theregister.com
UEFI exploit 'worse than BlackLotus' pwns PCs using images The Register - Hundreds of consumer and enterprise devices are potentially vulnerable to bootkit exploits through unsecured BIOS image parsers. Security researchers have identified vulnerabilities in UEFI system firmware from major vendors which they say could ...
1 year ago Packetstormsecurity.com
CVE-2020-15257 - containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the ...
2 years ago
New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices - A new exploit has been devised to "Unenroll" enterprise- or school-managed Chromebooks from administrative control. Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, ...
1 year ago Thehackernews.com
Glupteba Botnet Adds UEFI Bootkit to Cyberattack Toolbox - The widespread, multitooled Glupteba malware has adopted a Unified Extensible Firmware Interface bootkit, allowing it to stealthily persist inside of Windows systems despite reboots, by manipulating the process by which the operating system is ...
10 months ago Darkreading.com
CVE-2023-39950 - efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets. Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files can cause crashes and ...
1 year ago
Linux Devs Rush to Patch Critical Vulnerability in Shim - Linux developers have addressed a new security flaw discovered in Shim, a component crucial for the boot process in Linux-based systems. This vulnerability poses a significant risk by allowing the installation of malware that operates at the firmware ...
10 months ago Infosecurity-magazine.com
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
9 months ago Cisa.gov
CVE-2019-12380 - **DISPUTED** An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation ...
4 years ago
CVE-2021-47228 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
LogoFAIL bugs in UEFI code allow planting bootkits via images - Multiple security vulnerabilities collectively named LogoFAIL affect image-parsing components in the UEFI code from various vendors. Researchers warn that they could be exploited to hijack the execution flow of the booting process and to deliver ...
1 year ago Bleepingcomputer.com
LogoFAIL attack can install UEFI bootkits through bootup logos - Multiple security vulnerabilities collectively named LogoFAIL affect image-parsing components in the UEFI code from various vendors. Researchers warn that they could be exploited to hijack the execution flow of the booting process and to deliver ...
1 year ago Bleepingcomputer.com
Vulnerability Summary for the Week of November 27, 2023 - PrimaryVendor - Product apple - multiple products Description A memory corruption vulnerability was addressed with improved locking. Published 2023-12-01 CVSS Score not yet calculated Source & Patch Info CVE-2023-48842 PrimaryVendor - Product dell - ...
1 year ago Cisa.gov
New Sh1mmer ChromeBook exploit unenrolls managed devices - A new exploit called 'Sh1mmer' allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions. When Chromebooks are enrolled with a school or an enterprise, they are managed by ...
1 year ago Bleepingcomputer.com
CVE-2024-50141 - In the Linux kernel, the following vulnerability has been resolved: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context PRMT needs to find the correct type of block to translate the PA-VA mapping for EFI runtime services. The issue ...
1 month ago Tenable.com
Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack - Hundreds of Windows and Linux computer models from virtually all hardware makers are vulnerable to a new attack that executes malicious firmware early in the boot-up sequence, a feat that allows infections that are nearly impossible to detect or ...
1 year ago Arstechnica.com
CVE-2024-27413 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)