CVE-2022-28737

Publication date 20 July 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

There's a possible overflow in handle_image() when shim tries to load and execute crafted EFI executables; The handle_image() function takes into account the SizeOfRawData field from each section to be loaded. An attacker can leverage this to perform out-of-bound writes into memory. Arbitrary code execution is not discarded in such scenario.

Read the notes from the security team

Status

Package Ubuntu Release Status
shim 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic Ignored end of life, was needed
22.04 LTS jammy
Fixed 15.7-0ubuntu1
21.10 impish Ignored end of life
20.04 LTS focal
Fixed 15.7-0ubuntu1
18.04 LTS bionic
Vulnerable, work in progress
16.04 LTS xenial Ignored install media keys will never be revoked
14.04 LTS trusty Ignored end of ESM support, was ignored [install media keys will never be revoked]

Notes


mdeslaur

This is fixed in 15.7-0ubuntu1 that is currently in the -updates pocket of focal, jammy, and kinetic.


eslerm

keys not updated on ESM releases as doing so would revoke install media keys

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
shim

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-6355-1
    • GRUB2 vulnerabilities
    • 8 September 2023

Other references