Bootloader gap: Many Linux distributions are at risk

There is a gaping security hole in the open-source bootloader shim that allows attackers – to inject their code in a man-in-the-middle position –, for example. A complete compromise of the systems is possible. Updated shim bootloaders will be distributed shortly.

According to its description, shim is a “trivial EFI application”, designed solely to start other trustworthy operating systems with secure boot on standard Windows computers. At the end of January, it became public that there was a remotely exploitable security vulnerability in shim.

shim: Vulnerable to loading ISOs via HTTP

This is because this trivial bootloader can also download and boot ISO images via HTTP, but trusts the HTTP headers in responses unfiltered, as the security notice explains. Attackers can use manipulated HTTP requests to write outside the actual allocated memory areas in a completely controlled manner (out-of-bound write primitive) and thus compromise the entire system (CVE-2023-40547, CVSS 8.3, risk “high”). To do this, attackers must sneak into the communication with the boot server, for example as a man-in-the-middle, or control it.

The update to shim 15.8 corrects the security gap and patches other vulnerabilities, as can be seen from the release announcement. Various Linux distributors have already submitted updated bootloaders to shim-review for certification and signing, which should be distributed shortly. IT managers should ensure that this update is applied to the systems they are responsible for.

IT researchers are also constantly finding vulnerabilities in Secure Boot. At the beginning of December last year, for example, a gap in the secure boot at BIOS or UEFI level was discovered under the name “LogoFAIL”. Prepared boot logos were able to provoke vulnerabilities in the processing of JPEG and TGA image data and thus infiltrate and execute malicious code. This also allowed the affected systems to be completely compromised.

()