CVE-2023-40548

Published: 23 January 2024

A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.

Notes

Author	Note
eslerm	UEFI Security Response Team states that dbx update is not needed secureboot-db should only ever be updated after shim secureboot-db is not updated on ESM releases as doing so would revoke install media keys Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus)

Author

Note

eslerm

UEFI Security Response Team states that dbx update is not needed
secureboot-db should only ever be updated after shim
secureboot-db is not updated on ESM releases as doing so would
revoke install media keys Note that key revocation is required to
protect against evil housekeeper attacks (such as BlackLotus)

Priority

Cvss 3 Severity Score

7.4

Score breakdown

Status

Package	Release	Status
secureboot-db Launchpad, Ubuntu, Debian	bionic	Not vulnerable (sbat only update)
	focal	Not vulnerable (sbat only update)
	jammy	Not vulnerable (sbat only update)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Not vulnerable (sbat only update)
	noble	Not vulnerable (sbat only update)
	trusty	Not vulnerable (sbat only update)
	upstream	Not vulnerable (sbat only update)
	xenial	Not vulnerable (sbat only update)
shim Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needed
	jammy	Needed
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needed
	noble	Released (15.8-0ubuntu1)
	trusty	Ignored (install media keys will never be revoked)
	upstream	Needs triage
	xenial	Ignored (install media keys will never be revoked)
	Patches: upstream: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8
shim-signed Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needed
	jammy	Needed
	lunar	Ignored (end of life, was needs-triage)
	mantic	Needed
	noble	Released (15.8)
	trusty	Ignored (install media keys will never be revoked)
	upstream	Needs triage
	xenial	Ignored (install media keys will never be revoked)

Severity score breakdown

Parameter	Value
Base score	7.4
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›