CVE-2023-40547

Summary

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 70:15.8-3.el7 < *unaffected
Red HatRed Hat Enterprise Linux 70:15.8-1.el7 < *unaffected
Red HatRed Hat Enterprise Linux 80:15.8-4.el8_9 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support0:15.8-2.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Telecommunications Update Service0:15.8-2.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Update Services for SAP Solutions0:15.8-2.el8_2 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support0:15.8-2.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Telecommunications Update Service0:15.8-2.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Update Services for SAP Solutions0:15.8-2.el8_4 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support0:15.8-2.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support0:15.8-2.el8 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support0:15.8-2.el8 < *unaffected
Red HatRed Hat Enterprise Linux 90:15.8-4.el9_3 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:15.8-3.el9 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:15.8-2.el9 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:15.8-2.el9 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support0:15.8-3.el9_2 < *unaffected

Weaknesses

  • CWE-787: Out-of-bounds Write

Workarounds

If a system isn’t required to boot from the network, configure the server’s boot order to disable entirely or skip the network boot.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References