Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical shim bug impacts every Linux boot loader signed in the past decade

The maintainers of Shim addressed six vulnerabilities, including a critical flaw that could potentially lead to remote code execution. The maintainers of ‘shim’ addressed six vulnerabilities with the release of version 15.8. The most severe of these vulnerabilities, tracked as CVE-2023-40547 (CVSS score: 9.8), can lead to remote code execution under specific circumstances. The vulnerability CVE-2023-40547 is […]

Linux Dirty Frag DirtyDecrypt PinTheft

The maintainers of Shim addressed six vulnerabilities, including a critical flaw that could potentially lead to remote code execution.

The maintainers of ‘shim’ addressed six vulnerabilities with the release of version 15.8. The most severe of these vulnerabilities, tracked as CVE-2023-40547 (CVSS score: 9.8), can lead to remote code execution under specific circumstances.

The vulnerability CVE-2023-40547 is an RCE in http boot support that can lead to Secure Boot bypass

“A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.” reads the advisory.

shim is a small piece of code used by most Linux distributions in the boot process to support Secure Boot.

It is frequently employed when either the bootloader or the operating system kernel lacks a signature recognized by the UEFI firmware. The shim, signed with a key trusted by the firmware, enables the loading and execution of an unsigned bootloader or kernel.

The flaw was discovered by Bill Demirkapi of the Microsoft Security Response Center (MSRC).

“Discovered and reported by Bill Demirkapi at Microsoft’s Security Response Center, this particular vulnerability stems from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.” reads the post published by Eclypsium.

Demirkapi warns that the vulnerability impacts every Linux boot loader signed in the past decade.

Researchers from Eclypsium illustrated the following attack scenarios:

An attacker could execute a Man-in-the-Middle (MiTM) attack to intercept HTTP traffic between the victim and the HTTP server while serving files in support of HTTP boot. This attack could be conducted from any network segment positioned between the victim and the legitimate server.

Additionally, an attacker with sufficient privileges can trigger the issue to manipulate data in the EFI Variables or on the EFI partition, achieved through a live Linux USB stick. The attacker can modify the boot order to load a remote and vulnerable shim on the system, enabling the execution of privileged code from the same remote server without disabling Secure Boot.

In a third attack path, an attacker on the same network can manipulate PXE to chain-load a vulnerable shim bootloader. Exploiting this vulnerability grants the attacker control over the system before the kernel is loaded, providing privileged access and the ability to bypass any controls implemented by the kernel and operating system.

“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system.” states Eclypsium.

Below are the other vulnerabilities in shim fixed by the maintainers:

  • CVE-2023-40546 – Fixes a LogError() invocation (NULL pointer dereference).
  • CVE-2023-40548 – Fixes an integer overflow on SBAT section size on 32-bit systems (heap overflow).
  • CVE-2023-40549 – Fixes an out-of-bounds read when loading a PE binary.
  • CVE-2023-40550 – Fixes an out-of-bounds read when trying to validate the SBAT information.
  • CVE-2023-40551 – Fix bounds check for MZ binaries

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Shim)