Exploiting the High-Risk Vulnerabilities in Secure Boot of Most Linux Devices on the Planet

In the ever-evolving landscape of cybersecurity, a new vulnerability identified as CVE-2023-40547 has emerged, casting a shadow over the security of most Linux systems. This vulnerability, discovered within the shim bootloader—a cornerstone component for supporting Secure Boot—poses a critical risk, potentially allowing attackers to gain unauthorized control over the boot process of affected systems.

Understanding Shim and Its Role in Secure Boot

Shim plays a pivotal role in the Linux boot process, especially in systems utilizing Secure Boot, a security standard developed to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). Due to licensing incompatibilities that prevent direct signing of the bootloader (GRUB2) by Microsoft, the shim bootloader was developed. Shim includes a vendor’s certificate and code that verifies and runs the bootloader, effectively bridging the gap between open-source software and Secure Boot requirements. The shim is first verified using Microsoft’s 3rd Party UEFI CA, which then loads and verifies the GRUB2 bootloader using the embedded vendor certificate.

The CVE-2023-40547 Vulnerability

Reported by Bill Demirkapi at Microsoft’s Security Response Center, CVE-2023-40547 is attributed to an out-of-bounds write vulnerability within shim’s HTTP protocol handling. This flaw can be exploited to achieve complete system compromise before the kernel loads, circumventing any security measures implemented at the operating system level. The vulnerability, maintained by Red Hat for most Linux distributions, received a CVSS score of 9.8 (Critical) by NVD and 8.3 (High) by Red Hat, underscoring its severity.

How cybercriminals forge digital signatures on kernel-mode malicious drivers to bypass EDR

Broader Implications and Additional Vulnerabilities

While CVE-2023-40547 directly impacts shim, it’s crucial to note that this is not an isolated issue. Alongside this critical vulnerability, five additional vulnerabilities with medium severity have been disclosed, affecting various aspects of shim’s functionality, from handling PE binaries to validating SBAT information. These vulnerabilities collectively highlight the complex security landscape that developers and users must navigate.

The discovery of CVE-2023-40547 in the shim bootloader has brought to light additional vulnerabilities within the same component. Here’s a list of all five additional flaws identified alongside CVE-2023-40547, each presenting unique challenges to the security of systems utilizing shim for Secure Boot:

CVE-2023-40546: This vulnerability addresses a flaw in the LogError() function, specifically a NULL pointer dereference issue. This type of vulnerability can lead to denial of service (DoS) attacks or other undefined behaviors in software, potentially allowing attackers to exploit the system further.
CVE-2023-40548: Identified as an integer overflow vulnerability, this flaw occurs in the handling of the SBAT section size on 32-bit systems, leading to a heap overflow. Integer overflow vulnerabilities can result in the execution of malicious code, corruption of data, or a crash of the affected system.
CVE-2023-40549: This vulnerability is an out-of-bounds read issue that occurs when loading a Portable Executable (PE) binary. Out-of-bounds read issues can lead to information disclosure, allowing an attacker to gain insights into system memory which might contain sensitive information or pointers that could be used in further exploits.
CVE-2023-40550: Similar to CVE-2023-40549, this flaw also involves an out-of-bounds read, but it specifically occurs when trying to validate the SBAT (UEFI Secure Boot Advanced Targeting) information. This vulnerability could potentially be exploited to bypass Secure Boot restrictions or to disclose information that could facilitate further attacks.
CVE-2023-40551: This vulnerability addresses a bounds check issue for MZ (Mark Zbikowski) binaries, a format used in DOS-compatible operating systems. Proper bounds checking is crucial to prevent buffer overflow attacks, and a flaw here could allow attackers to execute arbitrary code or cause a denial of service.

Each of these vulnerabilities, while scored as medium severity, underscores the complexity and importance of securing the boot process in modern computing environments. The identification and prompt remediation of these flaws are critical steps in maintaining the integrity and security of systems relying on Secure Boot technology.

Attack Vectors and Remediation Strategies

The exploitation of CVE-2023-40547 can occur through several attack vectors, including Man-in-the-Middle (MiTM) attacks intercepting HTTP boot traffic, local attacks manipulating EFI Variables or the EFI partition, and network-based attacks utilizing PXE to chain-load a vulnerable shim bootloader. The comprehensive nature of these attack paths underscores the necessity for robust security measures.

To mitigate the risks posed by CVE-2023-40547 and associated vulnerabilities, a multi-faceted approach to updating the Secure Boot chain of trust is required. This includes updating the UEFI Secure Boot DBX (revocation list) to include hashes of the vulnerable shim software and signing new, patched versions of shim with the Microsoft 3rd Party CA. Linux users are advised to first update to the latest version of shim before applying the DBX update, a process that can be facilitated using tools like fwupd.

The discovery of CVE-2023-40547 and related vulnerabilities within the shim bootloader serves as a stark reminder of the ongoing challenges in securing the boot process against sophisticated threats. The collaborative efforts of the cybersecurity community, including researchers, developers, and security firms like Eclypsium, play a crucial role in identifying, reporting, and mitigating such vulnerabilities. As the digital landscape continues to evolve, the commitment to proactive security measures remains paramount in protecting against the ever-present threat of unauthorized system access and compromise.

The incident surrounding CVE-2023-40547 not only highlights the technical intricacies and challenges of securing modern computing environments but also emphasizes the importance of community engagement and response in the face of cybersecurity threats. Through collective vigilance and action, the potential impact of such vulnerabilities can be significantly reduced, safeguarding the integrity and trustworthiness of countless systems worldwide.

Mike Stevens

Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.

Exploiting the High-Risk Vulnerabilities in Secure Boot of Most Linux Devices on the Planet

Understanding Shim and Its Role in Secure Boot

The CVE-2023-40547 Vulnerability

Broader Implications and Additional Vulnerabilities

Attack Vectors and Remediation Strategies

Critical Vulnerabilities in Cisco ASA & FTD Exposed! Learn How to Exploit CVE-2024-20353 and CVE-2024-20359

Dual Vulnerabilities in Microsoft SharePoint Server: Essential Steps to Mitigate Vulnerabilities

Exploiting the High-Risk Vulnerabilities in Secure Boot of Most Linux Devices on the Planet

Hackers’ New Target is containerized environments through vulnerabilities in runC

Hacking Android, Linux, macOS, iOS, Windows Devices via Bluetooth using a single vulnerability

Dark Web Sale: AMD’s Confidential Data Leaked – Full Story Revealed!

How Snowflake Hack is Linked to Santander(Spain, Chile, Uruguay) and Ticketmaster Breaches.Are You Affected?

Healthcare Hack Horror: Cyberattacks Leave French Hospitals in Chaos for $10 Million

Hacking the Unhackable: The Story of How CISA Was Breached

The Cloudflare Hack: A Hacker, 5000 Credentials, and Operation Code Red

Hijacked Data:LockBit Ransomware Gang Targets Aerospace Giant Boeing

Timeless Targets: After Casio, Seiko Group hacked again by Ransomware gang

Comparing CIS v8, CIS AWS Foundations Benchmark v1.5, and PCI DSS v4.0 for CSPM. Which you Should Start With?

MITRE EMB3D Explained: Top Threats to Embedded Devices and How EMB3D Mitigates Them

Google Gemini Under Fire: Critical Security Vulnerabilities You Need to Know to hack Gemini

Cracking SCCM Wide Open: Pentesting System Center Configuration Manager with Misconfiguration Manager

Hacking Windows 10 and 11 with DLL Search Order Hijacking without administrator rights

Hacking SSH Connections by exploiting SSH Protocol Vulnerabilities: Different Terrapin Attack Vectors

Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory

Hacking Bluetooth via MiTM: The BLUFFS Bluetooth attack to hack into Millions of Devices

6 Steps to File Anonymous SEC Complaints Against Data Breachers & Force Them to Pay Fines or Take Action

Inside the Exploit: How Your ChatGPT’s Uploaded Files Could Be Stolen by Prompt Injection Vulnerability

This Google Calendar technique allows to hack into companies without getting detected

This telegram bot is like ChatGPT for scammers to steal money from victims easily

How easy is to bomb someone mobile phone with thousands of SMS messages?

This new DDoS attack prevention technique has a 99% accuracy rate

How to secure Cisco Firepower Threat Defense (FTD) firewalls ?

The Dark Side of PDFs: How Opening a Simple PDF Could Unleash a Cybersecurity Nightmare

Largest soft drink bottle supplier, recycle and plastic manufacturers hacked by ransomware

Visited thesaurus.com in search for Synonyms? You have Coinminer malware infection

How to send malware via Teams, even “Safe Attachments” or “Safe Links” can’t protect you

2 Big Cloud hosting companies shutdown by ransomware and lose all customer data