CVE-2023-40551
Published: 23 January 2024
A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.
From the Ubuntu Security Team
[pe-relocate: Fix bounds check for MZ binaries In read_header(), we attempt to parse the PE binary headers. In doing so, if there is an MZ (i.e. MS-DOS) header, we locate the PE header by finding the offset in that header. Unfortunately that is not correctly bounds checked, and carefully chosen values can cause an out-of-bounds ready beyond the end of the loaded binary. Unfortunately the trivial fix (bounds check that value) also makes it clear that the way we were determining if an image is loadable on this platform and distinguishing between PE32 and PE32+ binaries has the exact same issue going on, and so the fix includes reworking that logic to correctly bounds check all of those tests as well. It's not currently known if this is actually exploitable beyond creating a denial of service, and an attacker who is in a position to use it for a denial of service attack must already be able to do so.]
Notes
| Author | Note |
|---|---|
| eslerm | UEFI Security Response Team states that dbx update is not needed secureboot-db should only ever be updated after shim secureboot-db is not updated on ESM releases as doing so would revoke install media keys Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus) |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
secureboot-db Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(sbat only update)
|
| focal |
Not vulnerable
(sbat only update)
|
|
| jammy |
Not vulnerable
(sbat only update)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Not vulnerable
(sbat only update)
|
|
| noble |
Not vulnerable
(sbat only update)
|
|
| trusty |
Not vulnerable
(sbat only update)
|
|
| upstream |
Not vulnerable
(sbat only update)
|
|
| xenial |
Not vulnerable
(sbat only update)
|
|
|
shim Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needed
|
|
| noble |
Released
(15.8-0ubuntu1)
|
|
| trusty |
Ignored
(install media keys will never be revoked)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(install media keys will never be revoked)
|
|
|
Patches: upstream: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab |
||
|
shim-signed Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needed
|
|
| noble |
Released
(15.8)
|
|
| trusty |
Ignored
(install media keys will never be revoked)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(install media keys will never be revoked)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.1 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H |