Bootloader bug exposes Linux secure boot

Microsoft’s vulnerability and mitigations team have discovered a bug in a program called Shim, which is used in Linux distributions that support secure boot.

While the vulnerability, CVE-2023-40547, was first disclosed by Shim maintainer Red Hat on January 23, it has mostly flown under the radar.

The remote code execution vulnerability is because “Shim boot support trusts attacker-controlled values when parsing an HTTP response,” the advisory states.

“This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.”

As security company Eclypsium explains, the bug could be exploited remotely in a man-in-the-middle attack, if the attacker can intercept traffic between the victim and the HTTP server supporting network boot.

A local attacker could manipulate the boot order to load a vulnerable version of Shim; while an attacker on the same network could “manipulate PXE to chain-load a vulnerable Shim bootloader, Eclypsium said.

Because the attacker can control the system before the kernel is loaded, they have privileged access and “the ability to circumvent any controls implemented by the kernel and operating system”.

While Red Hat is Shim’s maintainer, the software is used by any Linux distribution with secure boot support, including Ubuntu, Debian, Rocky, AlmaLinux, OpenSuse and Oracle Linux.

The upstream fix is in Shim 15.8 at GitHub.