This advisory is for organizations that use Linux distributions within their environment. The advisory applies to a critical vulnerability in the Shim Linux bootloader and effects Linux variants that support Secure Boot.
Summary
Red Hat has pushed a code commit to fix a vulnerability in the code they maintain for the Shim bootloader which could be leveraged to execute code and/or take control of a target system before the kernel is loaded.
Shim was created to allow Linux distributions to boot on PCs leveraging UEFI Secure Boot. Though it was developed by Red Hat, it is used by other distributions to allow their operating systems to load using certificates issued by their own companies (rather than Microsoft). If interested:https://www.linux-magazine.com/Issues/2018/206/Linux-Secure-Boot-with-Shim)
This vulnerability resides in the part of Shim (httpboot.c) which supports booting an image from a central server on a network using HTTP. One way this may be exploited is through an attacker positioning themselves between the victim and the HTTP server used to serve files that support the HTTP boot. Shim allocates a buffer for the received data using the buffer size specified in the HTTP header. The size in the header can be manipulated to reduce the size of the buffer resulting in a buffer overflow. In other scenarios, the bug may be abused locally by malware that gains system privilege and overwrites the EFI partition, or from an adjacent network when PXE boot is enabled.
