Linux shim, a small piece of code that many major Linux distros use during the secure boot process, has a remote code execution vulnerability in it that gives attackers a way to take complete control of affected systems.
All Linux distributions that support Secure Boot, including Red Hat, Ubuntu, Debian, and SUSE are affected by the flaw, identified as CVE-2023-40547.
The flaw is the most severe of six vulnerabilities in Linux shim that its maintainer Red Hat disclosed recently - and for which it has issued an update.
Bill Demirkapi, a researcher with Microsoft's Security Response Center who discovered the bug and reported it to Red Hat, has described it as every Linux bootloader signed in the past decade.
Out-of-Bounds Write Error In its advisory Red Hat said the bug had to do with the shim boot code trusting attacker-controlled values when parsing an HTTP response.
The National Vulnerability Database and Red Hat had slightly different takes on the severity of the vulnerability and its exploitability.
The NVD assigned the bug a near maximum severity rating of 9.8 out of 10 on the CVSS 3.1 scale and identified it as something that an attacker could exploit over the network with little complexity and requiring no user interaction or privileges.
Red Hat gave the bug a more modest severity score of 8.3 and described it as exploitable only through an adjacent network and involving high attack complexity.
A shim bootloader is basically a small app that loads prior to the main operating system bootloader on Unified Extensible Firmware Interface-based systems.
It acts as a bridge between the UEFI firmware and the main OS bootloaders, which in the case of Linux, is typically GRUB or system-boot.
Its function is to verify the main OS bootloader before loading and running it.
Multiple Attack Vectors Researchers from software supply chain security vendor Eclypsium identified three different paths that an attacker could take to exploit the vulnerability.
One is via a man-in-the-middle attack, where the adversary intercepts HTTP traffic between the victim and the HTTP server that serves the files to support HTTP boot.
An attacker with enough privileges on a vulnerable system could also exploit the vulnerability locally by manipulating data in Extensible Firmware Interface variables or on the EFI partitions.
An attacker on the same network as the victim can also manipulate the pre-boot execution environment to chain-load a vulnerable shim bootloader, Eclypsium said.
Lionel Litty, chief security architect at Menlo Security, says the exploitation bar is high because the attacker would need to already have gained administrator privileges on a vulnerable device.
Or they'd need to be targeting a device that uses network boot and also be able to perform a man-in-the-middle attack on the local network traffic of the targeted device.
If the device is using network boot and the attacker can do MITM on the traffic, then that's when they can target the buffer overflow.
He adds that organizations with machines using HTTP boot or pre-boot execution environment boot should be concerned, especially if communication with the boot sever is in an environment where an adversary could insert themselves into the middle of traffic.
NVD may also be alluding to an extremely unlikely worst-case scenario where the victim machine is already configured to boot via HTTP from a server outside the local network and the attacker already has control over this HTTP server.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 07 Feb 2024 22:25:08 +0000