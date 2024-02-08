



Linux shims, small pieces of code that many major Linux distributions use during the secure boot process, have remote code execution vulnerabilities that give attackers complete control over an affected system. I'll give it.

All Linux distributions that support secure boot, including Red Hat, Ubuntu, Debian, and SUSE, are affected by this flaw, identified as CVE-2023-40547. This flaw is the most serious of the six Linux shim vulnerabilities that its administrator, Red Hat, recently disclosed and issued an update for (shim 15.8). Bill Demirkapi, a researcher at the Microsoft Security Response Center who discovered the bug and reported it to Red Hat, said the bug is similar to every Linux bootloader signed in the past decade.

Out of range write error

Red Hat said in an advisory that the bug involves simboot code that relies on attacker-controlled values ​​when parsing HTTP responses. “This flaw allows an attacker to craft certain malicious HTTP requests, leading to a complete system compromise with write primitives that are completely outside of their control.”

The National Vulnerability Database (NVD) and Red Hat had slightly different views on the severity of the vulnerability and its exploitability. NVD assigned this bug a near-maximum severity rating of 9.8 out of 10 on the CVSS 3.1 scale, indicating that an attacker would have little complexity and could exploit it over the network without requiring user interaction or privileges. I have identified.

Red Hat gave the bug a modest severity score of 8.3 and described it as exploitable only through adjacent networks and as having high attack complexity. This is a rating that maintainers of other affected Linux distributions have shared with Ubuntu, for example calling CVE-2023-40547 a “moderate” severity bug, which SUSE typically rates one step below critical. Assigned a low “important” rating.

Red Hat describes the various severity scores as follows: “CVSS scores for open source components depend on vendor-specific factors (such as version and build chain). Therefore, Red Hat's score and impact assessment may differ from NVD and other vendors.” , both NVD and Red Hat agreed that this vulnerability significantly impacts data confidentiality, integrity, and availability.

A sim bootloader is essentially a small app that loads before the main operating system bootloader on Unified Extensible Firmware Interface (UEFI)-based systems. It acts as a bridge between the UEFI firmware and the main OS bootloader (usually GRUB or System Boot for Linux). Its function is to validate the main OS bootloader before loading and running it.

Multiple attack vectors

Researchers at software supply chain security vendor Eclypsium have identified three different vectors that attackers can use to exploit this vulnerability. One is through a man-in-the-middle (MiTM) attack, where an attacker intercepts her HTTP traffic between the victim and the HTTP server that serves the files that support her HTTP boot. “The attacker could be on any network segment between the victim and the legitimate server.”

An attacker with sufficient privileges on a vulnerable system could also exploit the vulnerability locally by manipulating Extensible Firmware Interface (EFI) variables or data on the EFI partition. “This can be accomplished using a live Linux USB stick. The boot order can then be changed so that remote vulnerable sims are loaded onto the system.”

According to Eclypsium, an attacker on the same network as the victim could also manipulate the pre-boot execution environment to chainload a vulnerable sim boot loader. “An attacker who exploited this vulnerability would gain control of the system before the kernel is loaded. This indicates that the attacker has privileged access and can bypass controls implemented by the kernel and operating system. I mean,” Bender said.

Exaggerated seriousness?

However, some security experts recognized that exploiting this vulnerability would require a high degree of complexity and serendipity. LionelLitty, chief of security at Menlo Security and his security architect, said the bar for exploitation is high because an attacker must already have administrative privileges on the vulnerable device. Alternatively, you may want to be able to target a device that uses network boot and perform a man-in-the-middle attack against the targeted device's local network traffic.

“According to the researcher who discovered this vulnerability, a local attacker could potentially exploit this vulnerability by modifying the EFI partition and changing the boot sequence,” Litty said. Masu. ”[But] You must be a full administrator on the victim machine to modify the EFI partition. ” he says.

If the device is using network boot and an attacker can perform MITM on the traffic, they can then target a buffer overflow. “They return a malformed HTTP response, which triggers the bug, and at this point they can control the boot sequence,” he says. He notes that organizations with machines that use HTTP boot or Preboot Execution Environment (PXE) boot are in an environment where communication with the boot server could allow an attacker to jump in the middle of the traffic. It adds that there is cause for concern.

Shachar Menashe, senior director of security research at JFrog, said Red Hat's assessment of vulnerability severity is more accurate than NVD's “over-inflated” score.

There are two possible explanations for this discrepancy, he says. “NVD provided a score based on descriptive keywords, but did not perform a thorough analysis of the vulnerability,” he says. For example, suppose a “malicious HTTP request” is automatically translated into a network attack vector.

NVD uses the worst case scenario, which is highly unlikely, that the victim's machine is already configured to boot via HTTP from a server outside the local network, and the attacker already has control of this HTTP server. You may be hinting at a scenario. “This is a scenario that is very unlikely to cause a ton of problems, even if it's unrelated to this CVE of his,” he says.

