Important flaw in Shim bootloader impacts main Linux distros


A essential vulnerability within the Shim Linux bootloader allows attackers to execute code and take management of a goal system earlier than the kernel is loaded, bypassing present safety mechanisms.

Shim is a small open-source bootloader maintained by Purple Hat that’s designed to facilitate the Safe Boot course of on computer systems utilizing Unified Extensible Firmware Interface (UEFI).

The software is signed with a Microsoft key accepted by default on most UEFI motherboards that’s used to confirm the subsequent stage of the boot course of, sometimes loading the GRUB2 bootloader.

Shim was created out of necessity to permit open-source tasks reminiscent of Linux distributions to learn from Safe Boot’s benefits, reminiscent of stopping unauthorized or malicious code execution throughout boot, whereas nonetheless sustaining management over {hardware}.

The brand new Shim flaw, tracked as CVE-2023-40547, was found by Microsoft’s safety researcher Invoice Demirkapi, who first disclosed it on January 24, 2024.

The bug resides within the httpboot.c supply for Shim, which is used besides a community picture over HTTP.


“When retrieving recordsdata through HTTP or associated protocols, shim makes an attempt to allocate a buffer to retailer the acquired information,” reads the commit to repair the bug in httpboot.c.

“Sadly, this implies getting the dimensions from an HTTP header, which may be manipulated to specify a dimension that is smaller than the acquired information.”

“On this case, the code unintentionally makes use of the header for the allocation however the protocol metadata to repeat it from the rx buffer, leading to an out-of-bounds write.”

Extra particulars concerning the flaw turned out there on February 2, 2024, with Eclypsium publishing a report yesterday to attract consideration to this safety drawback.

The vulnerability lies in Shim’s parsing of HTTP responses, permitting an attacker to create specifically crafted HTTP requests to trigger an out-of-bounds write.

This might enable an attacker to compromise a system by executing privileged code earlier than the working system masses, successfully bypassing safety mechanisms carried out by the kernel and the OS.

Eclypsium says a number of potential exploitation paths can leverage CVE-2023-40547, together with native, community adjoining, and distant assault factors. The agency’s report highlights the next three strategies:

A distant attacker can execute a man-in-the-middle (MiTM) assault, intercepting HTTP site visitors for HTTP boot, doubtlessly from any community place between the sufferer and the server.

A neighborhood attacker with adequate privileges can modify EFI Variables or the EFI partition utilizing a dwell Linux USB to change the boot order and cargo a compromised shim, executing privileged code with out disabling Safe Boot.

An attacker on the identical community can use PXE to load a compromised shim bootloader, exploiting the vulnerability.

Influence and fixes

RedHat issued a code commit to repair CVE-2023-40547 on December 5, 2023, however Linux distributions supporting Safe Boot and utilizing Shim have to push their very own patches.

Linux distributions that make the most of Shim, reminiscent of Purple HatDebianUbuntuand SUSE, have launched advisories with info on the flaw.

Linux customers are suggested to replace to the newest model of Shim, v15.8, which accommodates a repair for CVE-2023-40547 and 5 different necessary vulnerabilities.

Eclypsium explains that Linux customers should additionally replace the UEFI Safe Boot DBX (revocation checklist) to incorporate the hashes of the susceptible Shim software program and signal the patched model with a legitimate Microsoft key.

To do this, first improve to Shim 15.8 after which apply the DBX replace utilizing the ‘fwupdmgr replace’ command (wants fwupd).

Command to update the DBX
Command to replace DBX (Eclypsium)

Some Linux distributions supply a GUI software to carry out this replace, so be sure that to verify in your bundle supervisor earlier than delving into the terminal.


Though unlikely to be mass-exploited, CVE-2023-40547 will not be a bug that needs to be ignored, as executing code earlier than OS boot is without doubt one of the strongest and stealthiest types of system compromise.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles