Linux Shim Bootloader Flaw Expose Most Linux Distros to Code Execution Attacks

Shim is a small application used by open-source projects and other third parties for verifying and running the bootloader (typically GRUB2). The application was developed specifically to circumvent legal issues arising from license compatibility.

Shim has become a critical piece of software for many Linux distributions to support secure boot. However, it has been discovered with a new vulnerability related to out-of-bounds written in HTTP protocol handling that could allow a threat actor to compromise a victim machine completely. This vulnerability has been assigned with CVE-2023-40547, and the severity has been given as 9.8 (Critical).

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Shim Bootloader Flaw

Shim is maintained by Red Hat and used in almost all Linux distributions that support secure boot, including Debian, Ubuntu, SUSE, and many others. Along with this vulnerability, five other vulnerabilities were also identified, all of them with medium and high severities.

The vulnerabilities are as follows:

  • CVE-2023-40546 – LogError() invocation (NULL pointer dereference). Severity – 6.2 (Medium).
  • CVE-2023-40548 – Integer overflow on SBAT section size on 32-bit systems (heap overflow). Severity – 7.4 (High).
  • CVE-2023-40549 – Out-of-bounds read when loading a PE binary. Severity – 6.2 (Medium).
  • CVE-2023-40550 – Out-of-bounds read when trying to validate the SBAT information. Severity – 5.5 (Medium).
  • CVE-2023-40551 – Out-of-bounds in MZ binaries. Severity – 5.1 (Medium).

A few attack methods were possible with the exploitation of these vulnerabilities over the Shim application, as mentioned by the Eclypsium.

Changing of Bootloader (Source: Eclypsium)
Changing of Bootloader (Source: Eclypsium)

Attack Vector 1: 

A Man-in-the-Middle (MiTM) attack can be performed which would a threat actor to intercept HTTP traffic between the victim and the HTTP server used for the HTTP boot. In this attack vector, the threat actor can be located at any part of the network segment to execute this attack.

Attack Vector 2: 

An attacker with enough privileges can manipulate the data in the EFI variables or on the EFI partition, which can be done through a live Linux USB stick. Additionally, the boot order can be changed to a vulnerable Shim version that could be leveraged to execute arbitrary codes from the same remote server without disabling the secure boot.

Attack Vector 3:

A threat actor can manipulate PXE (Preboot Execution Environment) to load a vulnerable shim bootloader and gain control over the system by exploiting the vulnerable version.

This attack gets executed before the kernel is loaded, which means that the threat actor can gain privileged access to the system that can be utilized to bypass kernel control and OS controls.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.