CVE-2023-40547: The Critical Shim Flaw Compromising Linux Bootloaders
Recently, a new vulnerability has been unearthed that strikes at the very core of system boot processes, challenging the sanctity of Secure Boot mechanisms. This flaw encapsulated within the seemingly innocuous EFI application known as shim, has ignited concerns across the cybersecurity landscape.
Shim serves as a linchpin in the booting process, designed to bridge the gap between the high-security expectations of Secure Boot and the practical needs of executing various binaries. Its primary role is to validate and execute another application, using standard EFI calls and, if necessary, falling back on a built-in certificate for authentication. This dual approach allows shim to maintain the integrity of the boot process, ensuring that only verified software has the green light to run. However, this mechanism also lays the groundwork for CVE-2023-40547, a vulnerability that has cast a shadow over shim’s security assurances.
Identified with a CVSS score of 8.3, CVE-2023-40547 exposes a remote code execution vulnerability within Shim. The crux of this security lapse lies in Shim’s trust in attacker-controlled values during the parsing of an HTTP response. This flaw creates a precarious situation where an attacker can craft a malicious HTTP request, manipulating the system into an out-of-bounds write condition, ultimately leading to complete system compromise.
At the heart of this vulnerability is Shim’s method of retrieving files via HTTP or related protocols, wherein it attempts to allocate a buffer based on the size specified in an HTTP header. This reliance on external, manipulable data for buffer allocation, juxtaposed with the protocol metadata for copying received data, creates a ripe scenario for an out-of-bounds write. This oversight allows attackers to specify a buffer size smaller than the actual received data, tricking Shim into executing beyond its allocated memory bounds.
The discovery of CVE-2023-40547 was spearheaded by Bill Demirkapi of the Microsoft Security Response Center, whose diligent efforts brought this critical issue to light.
The resolution of this critical flaw came with the release of version 15.8 of Shim, which introduced an additional safeguard to ensure the rx buffer does not exceed the allocation. This patch marks a significant step towards rectifying the security oversight, albeit the bug’s existence in every Linux bootloader signed in the past decade underscores the widespread implications of CVE-2023-40547. This vulnerability not only challenges the efficacy of Secure Boot but also serves as a stark reminder of the complexities inherent in securing modern computing platforms.
