CVE-2023-40547

Published: 23 January 2024

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Notes

Author	Note
eslerm	UEFI Security Response Team states that dbx update is not needed secureboot-db should only ever be updated after shim secureboot-db is not updated on ESM releases as doing so would revoke install media keys Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus)

Author

Note

eslerm

UEFI Security Response Team states that dbx update is not needed
secureboot-db should only ever be updated after shim
secureboot-db is not updated on ESM releases as doing so would
revoke install media keys Note that key revocation is required to
protect against evil housekeeper attacks (such as BlackLotus)

Priority

Cvss 3 Severity Score

9.0

Score breakdown

Status

Package	Release	Status
secureboot-db Launchpad, Ubuntu, Debian	bionic	Not vulnerable (sbat only update)
	focal	Not vulnerable (sbat only update)
	jammy	Not vulnerable (sbat only update)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Not vulnerable (sbat only update)
	noble	Not vulnerable (sbat only update)
	trusty	Not vulnerable (sbat only update)
	upstream	Not vulnerable (sbat only update)
	xenial	Not vulnerable (sbat only update)
shim Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needed
	jammy	Needed
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needed
	noble	Released (15.8-0ubuntu1)
	trusty	Ignored (install media keys will never be revoked)
	upstream	Needs triage
	xenial	Ignored (install media keys will never be revoked)
	Patches: upstream: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d
shim-signed Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needed
	jammy	Needed
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needed
	noble	Released (15.8)
	trusty	Ignored (install media keys will never be revoked)
	upstream	Needs triage
	xenial	Ignored (install media keys will never be revoked)

Severity score breakdown

Parameter	Value
Base score	9.0
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Changed
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›