Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ee09edb9-6ce6-42ab-82bc-70f011ca7c88@oracle.com>
Date: Fri, 26 Jan 2024 11:52:40 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: shim 15.8 released with 6 CVE fixes

https://github.com/rhboot/shim/releases/tag/15.8 says it fixes these CVEs:

   CVE-2023-40546 mok: fix LogError() invocation
   CVE-2023-40547 - avoid incorrectly trusting HTTP headers
   CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
   CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
   CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
   CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

According to Red Hat's bugzilla, the details on these are:

CVE-2023-40546: Out-of-bounds read printing error messages

A NULL pointer dereference error exists in mirror_one_esl() at mok.c. If shim
fails to create a new ESL variable it tries to log an error message, however
one of the variables used in the LogError() function doesn't match the format
string and additionally it may be NULL. A successful attack may lead shim to
crash resulting in a Denial-of-Service.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
Upstream fix: https://github.com/rhboot/shim/commit/66e6579dbf921152f647a0c16da1d3b2f40861ca
https://github.com/rhboot/shim/commit/dae82f6bd72cf600e5d48046ec674a441d0f49d7


CVE-2023-40547: RCE in http boot support may lead to Secure Boot bypass

The MSRC Vulnerability & Mitigations (V&M) team discovered a critical Remote
Code Execution vulnerability in the latest version of the Linux shim
(https://github.com/rhboot/shim). The shim's http boot support (httpboot.c)
trusts attacker-controlled values when parsing an HTTP response, leading to
a completely controlled out-of-bounds write primitive.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
Upstream fix: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d


CVE-2023-40548: Integer overflow leads to heap buffer overflow in
  verify_sbat_section on 32-bits systems

An integer overflow issue exists in shim when compiled for 32-bit processors.
The issue is due to performing addition on a user-controlled value parsed from
the PE being loaded without verifying that the result of the addition does not
overflow. The overflowed value is passed as a size to AllocatePool, and then
the resulting buffer is copied to using the original value, resulting in a
buffer overflow.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
Upstream fix: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8


CVE-2023-40549: Out-of-bounds read in verify_buffer_authenticode() malformed
  PE file

An out-of-bounds read issue exists in the verify_buffer_authenticode() function
in shim.c. This issue is due to adding an offset to a pointer and then accessing
the result without proper bounds checking. This bug is reachable by providing a
malformed PE file to shim. This code runs before signature validation of the PE
file.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
Upstream fix: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09


CVE-2023-40550
Score: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Desc: Out-of-bound read in verify_buffer_sbat()

There's an out of bound read in shim at verify_buffer_sbat() function, which can
lead to information disclosure.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
Upstream fix: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d
https://github.com/rhboot/shim/commit/e7f5fdf53ee68025f3ef2688e2f27ccb0082db83

CVE-2023-40551
Score: 5.1
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
Desc: out of bounds read when parsing MZ binaries

When handling MZ binaries, crafted PE headers can lead to a out-of-bounds read,
causing shim to crash and possibly exposing sensitive information.

Upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
Upstream fix: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab



-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.