RCE in Shim Bootloader via OOB Write (CVE-2023-40547)
CVE-2023-40547 Published on January 25, 2024

Shim: rce in http boot support may lead to secure boot bypass
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 263 days later.

Weakness Type

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2023-40547 has been classified to as a Memory Corruption vulnerability or weakness.


Products Associated with CVE-2023-40547

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Shim
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Rhel Aus
 
Red Hat Rhel Tus
 
Red Hat Rhel E4s
 
Red Hat Rhel Eus
 

Affected Versions

Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 8.2 Advanced Update Support: Red Hat Enterprise Linux 8.2 Telecommunications Update Service: Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support: Red Hat Enterprise Linux 8.4 Telecommunications Update Service: Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions: Red Hat Enterprise Linux 8.6 Extended Update Support: Red Hat Enterprise Linux 8.8 Extended Update Support: Red Hat Enterprise Linux 8.8 Extended Update Support: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux 9.0 Extended Update Support: Red Hat Enterprise Linux 9.0 Extended Update Support: Red Hat Enterprise Linux 9.0 Extended Update Support: Red Hat Enterprise Linux 9.2 Extended Update Support:

Exploit Probability

EPSS
4.18%
Percentile
88.53%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.