Linux Distros Hit by RCE Vulnerability in Shim Bootloader

Linux shim, a small piece of code that many major Linux distros use during the secure boot process, has a remote code execution vulnerability in it that gives attackers a way to take complete control of affected systems.
All Linux distributions that support Secure Boot, including Red Hat, Ubuntu, Debian, and SUSE are affected by the flaw, identified as CVE-2023-40547.
The flaw is the most severe of six vulnerabilities in Linux shim that its maintainer Red Hat disclosed recently - and for which it has issued an update.
Bill Demirkapi, a researcher with Microsoft's Security Response Center who discovered the bug and reported it to Red Hat, has described it as every Linux bootloader signed in the past decade.
Out-of-Bounds Write Error In its advisory Red Hat said the bug had to do with the shim boot code trusting attacker-controlled values when parsing an HTTP response.
The National Vulnerability Database and Red Hat had slightly different takes on the severity of the vulnerability and its exploitability.
The NVD assigned the bug a near maximum severity rating of 9.8 out of 10 on the CVSS 3.1 scale and identified it as something that an attacker could exploit over the network with little complexity and requiring no user interaction or privileges.
Red Hat gave the bug a more modest severity score of 8.3 and described it as exploitable only through an adjacent network and involving high attack complexity.
A shim bootloader is basically a small app that loads prior to the main operating system bootloader on Unified Extensible Firmware Interface-based systems.
It acts as a bridge between the UEFI firmware and the main OS bootloaders, which in the case of Linux, is typically GRUB or system-boot.
Its function is to verify the main OS bootloader before loading and running it.
Multiple Attack Vectors Researchers from software supply chain security vendor Eclypsium identified three different paths that an attacker could take to exploit the vulnerability.
One is via a man-in-the-middle attack, where the adversary intercepts HTTP traffic between the victim and the HTTP server that serves the files to support HTTP boot.
An attacker with enough privileges on a vulnerable system could also exploit the vulnerability locally by manipulating data in Extensible Firmware Interface variables or on the EFI partitions.
An attacker on the same network as the victim can also manipulate the pre-boot execution environment to chain-load a vulnerable shim bootloader, Eclypsium said.
Lionel Litty, chief security architect at Menlo Security, says the exploitation bar is high because the attacker would need to already have gained administrator privileges on a vulnerable device.
Or they'd need to be targeting a device that uses network boot and also be able to perform a man-in-the-middle attack on the local network traffic of the targeted device.
If the device is using network boot and the attacker can do MITM on the traffic, then that's when they can target the buffer overflow.
He adds that organizations with machines using HTTP boot or pre-boot execution environment boot should be concerned, especially if communication with the boot sever is in an environment where an adversary could insert themselves into the middle of traffic.
NVD may also be alluding to an extremely unlikely worst-case scenario where the victim machine is already configured to boot via HTTP from a server outside the local network and the attacker already has control over this HTTP server.


This Cyber News was published on www.darkreading.com. Publication date: Wed, 07 Feb 2024 22:25:08 +0000


Cyber News related to Linux Distros Hit by RCE Vulnerability in Shim Bootloader

Linux Distros Hit by RCE Vulnerability in Shim Bootloader - Linux shim, a small piece of code that many major Linux distros use during the secure boot process, has a remote code execution vulnerability in it that gives attackers a way to take complete control of affected systems. All Linux distributions that ...
10 months ago Darkreading.com
Shim Bug Uncovered: A Ten-Year Security Breach in Linux Boot Loaders - In the dynamic realm of cybersecurity, discovering a significant flaw in every Linux boot loader signed in the past decade has underscored the pervasive nature of potential threats. This blog explores the intricacies of the Shim bug, its implications ...
10 months ago Cysecurity.news
CVSS 9.8 Bootkit Bug in shim.efi - A Microsoft researcher found it-and it's somehow Microsoft's fault. A critical vulnerability in most Linux distributions now has a patch ready. Enterprise users especially need this if booting using HTTP or PXE. So go get it. In today's SB Blogwatch, ...
10 months ago Securityboulevard.com
Chromebook SH1MMER exploit promises admin jailbreak The Register - Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER. SH1MMER - you may pronounce the "1" as an "i" - is a shim exploit, or more specifically, ...
1 year ago Packetstormsecurity.com
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
9 months ago Cisa.gov
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
9 months ago Cisa.gov
CVE-2020-15257 - containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the ...
2 years ago
New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices - A new exploit has been devised to "Unenroll" enterprise- or school-managed Chromebooks from administrative control. Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console, ...
1 year ago Thehackernews.com
Linux Devs Rush to Patch Critical Vulnerability in Shim - Linux developers have addressed a new security flaw discovered in Shim, a component crucial for the boot process in Linux-based systems. This vulnerability poses a significant risk by allowing the installation of malware that operates at the firmware ...
10 months ago Infosecurity-magazine.com
New Linux glibc flaw lets attackers get root on major distros - Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation vulnerability in the GNU C Library. Tracked as CVE-2023-6246, this security flaw was ...
10 months ago Bleepingcomputer.com
CISA orders federal agencies to patch Looney Tunables Linux bug - Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions. Dubbed 'Looney Tunables' by Qualys' Threat Research Unit and ...
1 year ago Bleepingcomputer.com
Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure - Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinet's SIEM solution. Fortinet added the two new vulnerabilities tracked as CVE-2024-23108 and CVE-2024-23109 to the original ...
10 months ago Bleepingcomputer.com
CVE-2020-8023 - A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5, SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of ...
4 years ago
Kali vs. ParrotOS: 2 versatile Linux distros for security pros - Let's examine and compare these two security and privacy distros to help you decide which - Kali Linux vs. ParrotOS - is best for your use case. Kali Linux, focusing on penetration testing, audits and forensics, is one of the industry's best-known ...
1 year ago Techtarget.com
Cisco Routers Exposed to Remote Code Execution (RCE) Attacks: How to Protect Your Network - Protecting networks from remote code execution (RCE) attacks is now more important than ever, as thousands of end-of-life Cisco routers are exposed to these vulnerabilities. On June 10, 2020 research revealed that over 19,000 Cisco devices were still ...
1 year ago Bleepingcomputer.com
New Sh1mmer ChromeBook exploit unenrolls managed devices - A new exploit called 'Sh1mmer' allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions. When Chromebooks are enrolled with a school or an enterprise, they are managed by ...
1 year ago Bleepingcomputer.com
Apple and some Linux distros are open to Bluetooth attack The Register - A years-old Bluetooth authentication bypass vulnerability allows miscreants to connect to Apple, Android and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe. The bug, ...
1 year ago Go.theregister.com
Microsoft is bringing the Linux sudo command to Windows Server - Microsoft is bringing the Linux 'sudo' feature to Windows Server 2025, offering a new way for admins to elevate privileges for console applications. Superuser do, or sudo, is a Linux console program that allows low-privileged users to execute a ...
10 months ago Bleepingcomputer.com
Hackers exploit Looney Tunables Linux bug, steal cloud creds - The operators of the Kinsing malware are targeting cloud environments with systems vulnerable to "Looney Tunables," a Linux security issue identified as CVE-2023-4911 that allows a local attacker to gain root privileges on the system. Looney Tunables ...
1 year ago Bleepingcomputer.com
Any.RUN Sandbox Now Expanded to Analyze Linux Malware - The ANY.RUN sandbox has now been updated with support for Linux, further enhancing its ability to provide an isolated and secure environment for malware analysis and threat hunting. ANY.RUN allows malware analysts, SOC members, and DFIR team members ...
10 months ago Gbhackers.com
CVE-2023-39950 - efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets. Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files can cause crashes and ...
1 year ago
Two new versions of OpenZFS fix long-hidden corruption bug The Register - The bug that was very occasionally corrupting data on file copies in OpenZFS 2.2.0 has been identified and fixed, and there's a fix for the previous OpenZFS release too. The OpenZFS development team have put out not one but two new releases of the ...
1 year ago Go.theregister.com
Two new versions of OpenZFS fix long-hidden corruption bug The Register - The bug that was very occasionally corrupting data on file copies in OpenZFS 2.2.0 has been identified and fixed, and there's a fix for the previous OpenZFS release too. The OpenZFS development team have put out not one but two new releases of the ...
1 year ago Packetstormsecurity.com
CVE-2020-8022 - A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise ...
3 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)