Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-28737

Published: 20 July 2023

There's a possible overflow in handle_image() when shim tries to load and execute crafted EFI executables; The handle_image() function takes into account the SizeOfRawData field from each section to be loaded. An attacker can leverage this to perform out-of-bound writes into memory. Arbitrary code execution is not discarded in such scenario.

Notes

AuthorNote
mdeslaur
This is fixed in 15.7-0ubuntu1 that is currently in the -updates
pocket of focal, jammy, and kinetic.
eslerm
keys not updated on ESM releases as doing so would revoke install media keys

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
shim
Launchpad, Ubuntu, Debian
bionic Pending
(15.7-0ubuntu1)
focal
Released (15.7-0ubuntu1)
impish Ignored
(end of life)
jammy
Released (15.7-0ubuntu1)
kinetic Ignored
(end of life, was needed)
lunar Not vulnerable
(15.7-0ubuntu1)
mantic Not vulnerable
(15.7-0ubuntu1)
noble Not vulnerable
(15.7-0ubuntu1)
trusty Ignored
(install media keys will never be revoked)
upstream
Released (15.6)
xenial Ignored
(install media keys will never be revoked)
Patches:
upstream: https://github.com/rhboot/shim/commit/e99bdbb827a50cde019393d3ca1e89397db221a7
upstream: https://github.com/rhboot/shim/commit/159151b6649008793d6204a34d7b9c41221fb4b0

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H