Bug 2234589 (CVE-2023-40547) - CVE-2023-40547 shim: RCE in http boot support may lead to Secure Boot bypass
Summary: CVE-2023-40547 shim: RCE in http boot support may lead to Secure Boot bypass
Keywords:
Status: NEW
Alias: CVE-2023-40547
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2259914
Blocks: 2234588
TreeView+ depends on / blocked
 
Reported: 2023-08-24 19:13 UTC by Marco Benatto
Modified: 2024-04-11 12:49 UTC (History)
13 users (show)

Fixed In Version: shim 15.8
Doc Type: If docs needed, set a value
Doc Text:
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Marco Benatto 2023-08-24 19:13:52 UTC
The MSRC Vulnerability & Mitigations (V&M) team discovered a critical Remote Code Execution vulnerability in the latest version of the Linux shim (https://github.com/rhboot/shim). The shim's http boot support (httpboot.c) trusts attacker-controlled values when parsing an HTTP response, leading to a completely controlled out-of-bounds write primitive.

Comment 2 Marco Benatto 2024-01-23 20:05:13 UTC
Created shim tracking bugs for this issue:

Affects: fedora-all [bug 2259914]


Note You need to log in before you can comment on or make changes to this bug.