A critical vulnerability in Shim could allow a network attacker to bypass secure

boot and take over a vulnerable Linux system.

Shim is a small application containing certificates and code to verify the bootloader, and is used
by most Linux distributions during the boot process, to support secure boot.

Identified in Shim’s HTTP protocol handling, the vulnerability leads to an out-of-bounds write,
which could be exploited for remote code execution.

The flaw is tracked as CVE-2023-40547 and, according to a NIST advisory, has a CVSS score
of 9.8. Red Hat, however, assesses the bug as being ‘high severity’, with a CVSS score of 8.3.
“The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This
flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely
controlled out-of-bounds write primitive and complete system compromise,” Red Hat’s
advisory reads.
An attacker could intercept the HTTP traffic between the victim system and the server delivering
files to support the HTTP boot, supply chain risk management firm Eclypsium explains in
a technical writeup.
“The attacker could be located on any network segment between the victim and the legitimate
server,” the firm says.

A local attacker with enough privileges to modify EFI variables or EFI partition data, such as by
using a live Linux USB drive, could change boot order to load a vulnerable shim and execute
privileged code without disabling secure boot.