Critical Bootloader Vulnerability in Shim Impacts Nearly All Linux Distros

Summary:
A critical vulnerability has been discovered in the shim bootloader used by nearly all Linux distributions. This flaw tracked as CVE-2023-40547, could allow remote code execution and bypass Secure Boot. Essentially, the flaw arises from the handling of HTTP protocol within shim, allowing attackers to execute man-in-the-middle attacks. By intercepting HTTP traffic between the victim and the legitimate server, threat actors could exploit this vulnerability to compromise the boot process, thus gaining privileged access to the system before the kernel is loaded. This level of access provides attackers with the ability to bypass any controls implemented by the kernel and operating system, thereby posing a substantial risk to the integrity and security of affected systems.

Security Officer Comments:
The vulnerability was discovered by Microsoft researcher Bill Demirkapi from the Microsoft Security Response Center. The severity of the vulnerability is highlighted by its CVSS score of 9.8, indicating its potential impact on system security. The urgency of addressing this issue is further underscored by the release of shim version 15.8, which aims to not only patch CVE-2023-20457, but also five other security flaws.

Suggested Corrections:
According to researchers at Eclypsium, with previous vulnerabilities in software responsible for the boot process, such as Boot Hole, the Secure Boot chain of trust must be updated. This means the UEFI Secure Boot DBX (revocation list) must be updated to include the hashes of the vulnerable shim software. Steps must also be taken to sign (with the Microsoft 3rd Party CA) new patched versions of shim. This must be done alongside updating to the new shim version containing the patch. The order of operations here is important as users must first update to the latest version of shim, and then apply the DBX update.

Link(s):
https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html

https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/