shim-signed-15.8-1.el7, shim-15.8-3.el7

エラータID: AXSA:2024-7742:01

Release date: 
Monday, May 13, 2024 - 19:48
Subject: 
shim-signed-15.8-1.el7, shim-15.8-3.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The shim package contains a first-stage UEFI boot loader that handles chaining to a trusted full boot loader under secure boot environments.

Security Fix(es):

shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)
shim: Interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems (CVE-2023-40548)
shim: Out-of-bounds read printing error messages (CVE-2023-40546)
shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file (CVE-2023-40549)
shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)
shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)

CVEs:
CVE-2023-40546
A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.
CVE-2023-40547
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.
CVE-2023-40548
A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.
CVE-2023-40549
An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.
CVE-2023-40550
An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.
CVE-2023-40551
A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.

Solution: 

Update packages.

CVEs: 
CVE-2023-40546
A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances.
CVE-2023-40547
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.
CVE-2023-40548
A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.
CVE-2023-40549
An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service.
CVE-2023-40550
An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase.
CVE-2023-40551
A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.
Additional Info: 

N/A

Download: 

SRPMS
  1. shim-signed-15.8-1.el7.src.rpm
    MD5: 49b94c34eff0b9859b4e86018a11e2a4
    SHA-256: 414d9d491b25946cb4b564fcfbee289942b203c535989c2bbda63eaca2b25c8a
    Size: 2.16 MB
  2. shim-15.8-3.el7.src.rpm
    MD5: fecd5243f410037971865214685763af
    SHA-256: 3cc3fb0557ad9542b162cef7cc707561ecca299b89701167036721194cae5fab
    Size: 2.24 MB

Asianux Server 7 for x86_64
  1. mokutil-15.8-1.el7.x86_64.rpm
    MD5: ac1ac8ba46cbe8b5a5b6cb6d390e4c3c
    SHA-256: 5d5645f6b9b76271fe6504c47b69ea5199400f48b22cc827c93f587115202789
    Size: 42.82 kB
  2. shim-ia32-15.8-1.el7.x86_64.rpm
    MD5: 846e1f5869e73b3f7708ac1faac03a62
    SHA-256: efbe8cf3937a28bcbfa5feccd7ba2b0999fbb217c0c5d9a22e61c646c3969a06
    Size: 422.91 kB
  3. shim-unsigned-ia32-15.8-3.el7.x86_64.rpm
    MD5: 52a9dc63c5470eb9d9ce8defb8429823
    SHA-256: 1962cf7e9365c92d293203155453100a501451095146165c9521825a12eaec57
    Size: 420.44 kB
  4. shim-unsigned-x64-15.8-3.el7.x86_64.rpm
    MD5: 4c3fdb1e718d0a11123c4f258a71dbb5
    SHA-256: e806b940bd9139b89d2be1e9e56a055ded545b175fa3564349065f730c224280
    Size: 456.62 kB
  5. shim-x64-15.8-1.el7.x86_64.rpm
    MD5: 340357e1d35a0eadd57a031c247c1a95
    SHA-256: 149a512263cc3b34bbc59c63d5abd573448e6a5fa8145081665f74c8d7e5dbbd
    Size: 466.14 kB