Summary
Shim is a bootloader that facilitates the Secure Boot process on computers using Unified Extensible Firmware Interface. The bug involves trusting the remote server’s HTTP headers while booting over HTTP, which might allow an out-of-bounds write, and privileged code execution.[1][2]
There are three potential exploitation paths:
-
Remote attackers can intercept HTTP traffic when an HTTP boot is attempted
-
Attackers with physical access to the system can modify EFI settings using a live Linux USB to load a compromised shim bootloader
-
Attackers on the local network can use PXE to load a compromised shim bootloader
Impact
The attack might allow a remote or local attacker to execute privileged code before the operating system is loaded on the system, giving the attacker a means to persist on the system even after the operating system has been reinstalled.
Vulnerable
Linux distributions that use Shim, including RedHat[3], Debian[4], Ubuntu[5], and SUSE[6], but which have not been patched to version 15.8, are vulnerable. Version 15.8 has been released but is not yet available through the Linux distributions’ patch process yet.
Recommendations
-
Do not boot a network image over HTTP from an untrusted host until this vulnerability is patched.
-
Install the patched version of Shim (v15.8) from the vendor as soon as it is available.
-
Linux users must also revoke the vulnerable versions of Shim by running fwupdmgr update (requires fwupd).