Shim Shocker! New 15.8 Update Seals Six Security Gaps, Thwarts Critical Boot Hijack Hazard

Beware, Boot Loader Buffs! Shim’s latest release patches a pants-wetting flaw (CVE-2023-40547) that could’ve let hackers shimmy into your system’s Secure Boot. Thanks, Bill Demirkapi, for not letting our boots get booted by baddies! #SecureBootScare

Hot Take:

It seems like shim’s got more holes than my grandma’s knitting project, and just like her sweaters, hackers could slip through them with ease! But fret not, the cyber seamstresses over at shim HQ have patched things up with version 15.8. So, update your bootloaders, folks, or you might just get booted in ways you never imagined!

Key Points:

  • Shim version 15.8 is out to save our boots from a critical bug, CVE-2023-40547, with a CVSS score high enough to give a hacker vertigo.
  • Billy the Bug Slayer (aka Bill Demirkapi) spotted the flaw that could lead to Secure Boot bypass and some serious remote code execution shenanigans.
  • This isn’t just a one-hit-wonder; shim version 15.8 also fixes five other vulnerabilities that could make your boot process sing the blues.
  • One of the bugs could let attackers play puppeteer with your system before the kernel wakes up, giving them the keys to your digital kingdom.
  • Remember, kids, in the world of cybersecurity, an ounce of patching is worth a pound of hacking headaches.
Title: Shim: rce in http boot support may lead to secure boot bypass
Cve id: CVE-2023-40547
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/02/2024
Cve description: A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.

Title: Shim: out of bounds read when parsing mz binaries
Cve id: CVE-2023-40551
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.

Title: Shim: out of bounds read when parsing mz binaries
Cve id: CVE-2023-40551
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.

Title: Shim: out-of-bound read in verify_buffer_sbat()
Cve id: CVE-2023-40550
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.

Title: Shim: out-of-bound read in verify_buffer_sbat()
Cve id: CVE-2023-40550
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.

Title: Shim: out-of-bound read in verify_buffer_sbat()
Cve id: CVE-2023-40550
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.

Title: Shim: out-of-bounds read printing error messages
Cve id: CVE-2023-40546
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.

Title: Shim: out-of-bounds read in verify_buffer_authenticode() malformed pe file
Cve id: CVE-2023-40549
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/05/2024
Cve description: An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.

Title: Shim: interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems
Cve id: CVE-2023-40548
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/06/2024
Cve description: A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.

Title: Shim: interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems
Cve id: CVE-2023-40548
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/06/2024
Cve description: A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.

Title: Shim: interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems
Cve id: CVE-2023-40548
Cve state: PUBLISHED
Cve assigner short name: redhat
Cve date updated: 02/06/2024
Cve description: A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.

Need to know more?

A Boot Loader in Shining Armor

Our valiant foot soldier, the shim boot loader, is supposed to guard the gates of our UEFI systems. But lo! Six mighty dragons, erm, bugs, threatened the realm, with the fiercest one being a potential Secure Boot slayer. Fear not, though, for our hero has donned its updated armor, version 15.8, to fend off these dastardly dragons!

Bill the Bug Slayer

Enter Bill Demirkapi, a knight of the Microsoft realm, who spotted the digital chink in our armor. This isn't your average "oops, I spilled my coffee on the server" problem – it's a "holy motherboard, Batman!" level flaw that could lead to a full-blown remote code execution fiesta. And it's been lurking in every Linux boot loader signed with the autograph of the past decade!

A Patchwork of Fixes

Shim version 15.8 isn't just playing whack-a-mole with one bug; it's on a full-blown extermination spree. The other five vulnerabilities range from "slightly annoying" to "downright catastrophic," with potential party tricks like crashing your boot phase or spilling your digital secrets. The moral of the story? Update like the wind!

The Early Bird Catches the Worm

For the non-birds among us, let that worm be a lesson: Early in the boot process is exactly when this flaw lets hackers dig in. If someone exploits this, they're not just in your system—they're holding the blueprints, wearing the foreman's hat, and deciding who gets to swing the digital hammer.

Conclusion: A Stitch in Time

Updating might be a chore, but it beats having your system turned into a hacker's playground. So let's get our digital needles out and stitch up these vulnerabilities before they unravel everything. After all, a stitch in time saves nine... or in this case, potentially millions. Patch on, cyber warriors, patch on!

Tags: bootkit threats, CVE-2023-40547, firmware vulnerabilities, HTTP protocol handling, Man-in-the-Middle attack, Secure Boot bypass, UEFI boot loader