oss-sec mailing list archives

shim 15.8 released with 6 CVE fixes

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 26 Jan 2024 11:52:40 -0800

https://github.com/rhboot/shim/releases/tag/15.8 says it fixes these CVEs:

  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

According to Red Hat's bugzilla, the details on these are:

CVE-2023-40546: Out-of-bounds read printing error messages

A NULL pointer dereference error exists in mirror_one_esl() at mok.c. If shim
fails to create a new ESL variable it tries to log an error message, however
one of the variables used in the LogError() function doesn't match the format
string and additionally it may be NULL. A successful attack may lead shim to
crash resulting in a Denial-of-Service.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
Upstream fix: https://github.com/rhboot/shim/commit/66e6579dbf921152f647a0c16da1d3b2f40861ca

CVE-2023-40547: RCE in http boot support may lead to Secure Boot bypass

The MSRC Vulnerability & Mitigations (V&M) team discovered a critical Remote
Code Execution vulnerability in the latest version of the Linux shim
(https://github.com/rhboot/shim). The shim's http boot support (httpboot.c)
trusts attacker-controlled values when parsing an HTTP response, leading to
a completely controlled out-of-bounds write primitive.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
Upstream fix: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d

CVE-2023-40548: Integer overflow leads to heap buffer overflow in
 verify_sbat_section on 32-bits systems

An integer overflow issue exists in shim when compiled for 32-bit processors.
The issue is due to performing addition on a user-controlled value parsed from
the PE being loaded without verifying that the result of the addition does not
overflow. The overflowed value is passed as a size to AllocatePool, and then
the resulting buffer is copied to using the original value, resulting in a
buffer overflow.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
Upstream fix: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8

CVE-2023-40549: Out-of-bounds read in verify_buffer_authenticode() malformed
 PE file

An out-of-bounds read issue exists in the verify_buffer_authenticode() function
in shim.c. This issue is due to adding an offset to a pointer and then accessing
the result without proper bounds checking. This bug is reachable by providing a
malformed PE file to shim. This code runs before signature validation of the PE

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
Upstream fix: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09

Score: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Desc: Out-of-bound read in verify_buffer_sbat()

There's an out of bound read in shim at verify_buffer_sbat() function, which can
lead to information disclosure.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
Upstream fix: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d

Score: 5.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
Desc: out of bounds read when parsing MZ binaries

When handling MZ binaries, crafted PE headers can lead to a out-of-bounds read,
causing shim to crash and possibly exposing sensitive information.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
Upstream fix: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab

        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread: