CyberWatch

Remote Code Execution Vulnerability Found in Shim

By

By

Access Point Consulting

Summary

A vulnerability has been discovered in Shim, an open-source bootloader on UEFI systems for Linux distributions. The vulnerability, identified as CVE-2023-40547, is a remote code execution vulnerability found by Bill Demirkapi from the Microsoft Security Response Center. The vulnerability allows Shim to trust attacker-controlled values when parsing an HTTP response resulting in a man-in-the-middle attack early in the boot phase. The attacker can craft a malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromised as reported by Red Hat.

Impact Assessment

There is a substantial risk to confidentiality, integrity, and availability resulting from exploitation of this vulnerability. It can allow an attacker to gain complete system control, remotely, before the OS has had time to boot. The vulnerability can also be exploited through network-adjacent and local means.

Red Hat has identified that the Shim component of Red Hat Enterprise Linux 7, 8, and 9 are all affected by this vulnerability. However, due to the nature of this vulnerability affecting Shim, it should affect all Linux distributions which can utilize secure boot with Shim.

What It Means for You

If you utilize a Linux distribution with Shim, remediate.

Remediation

Update to Shim 15.8 through a fwupd firmware update on the command line.

Business Implications

Exploitation of this vulnerability can have devastating consequences on an organization. The vulnerability can allow for a full take-over of a system. This can cause monetary loss due to disaster recovery and business inefficiency and data being lost or compromised due to a system takeover and potential lateral movement.

Access Point Technology Recommends

Patch: Patching Shim to the latest version on all Linux distributions within your network will ultimately prevent this vulnerability from being exploited. Follow remediation steps in the link provided by running fwupd.

Segment network: It is possible to mitigate the exploitation by having proper network segmentation in place and utilizing a zero-trust model. This will help prevent lateral movement and allow for quick and effective action by an incident response team.

Incident response: Having an incident response plan and team is essential when an attacker is performing exploits on your network. Follow these incident response best practices from Atlassian to see where you are with your incident response.

Associated Bulletins

https://www.openwall.com/lists/oss-security/2024/01/26/1

https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d

https://nvd.nist.gov/vuln/detail/CVE-2023-40547#VulnChangeHistorySection

https://access.redhat.com/security/cve/CVE-2023-40547

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more