SUSE SLED15 / SLES15 / openSUSE 15 Security Update : shim (SUSE-SU-2024:1368-1)

high Nessus Plugin ID 193725

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1368-1 advisory.

- There's a possible overflow in handle_image() when shim tries to load and execute crafted EFI executables;
The handle_image() function takes into account the SizeOfRawData field from each section to be loaded. An attacker can leverage this to perform out-of-bound writes into memory. Arbitrary code execution is not discarded in such scenario. (CVE-2022-28737)

- A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn't match the format string used by it, leading to a crash under certain circumstances. (CVE-2023-40546)

- A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.
This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the- Middle or compromise the boot server to be able to exploit this vulnerability successfully.
(CVE-2023-40547)

- A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. (CVE-2023-40548)

- An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an attacker to load a crafted PE binary, triggering the issue and crashing Shim, resulting in a denial of service. (CVE-2023-40549)

- An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's boot phase. (CVE-2023-40550)

- A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase. (CVE-2023-40551)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected shim package.

See Also

https://bugzilla.suse.com/1198101

https://bugzilla.suse.com/1205588

https://bugzilla.suse.com/1205855

https://bugzilla.suse.com/1210382

https://bugzilla.suse.com/1213945

https://bugzilla.suse.com/1215098

https://bugzilla.suse.com/1215099

https://bugzilla.suse.com/1215100

https://bugzilla.suse.com/1215101

https://bugzilla.suse.com/1215102

https://bugzilla.suse.com/1215103

https://bugzilla.suse.com/1219460

https://lists.suse.com/pipermail/sle-updates/2024-April/035046.html

https://www.suse.com/security/cve/CVE-2022-28737

https://www.suse.com/security/cve/CVE-2023-40546

https://www.suse.com/security/cve/CVE-2023-40547

https://www.suse.com/security/cve/CVE-2023-40548

https://www.suse.com/security/cve/CVE-2023-40549

https://www.suse.com/security/cve/CVE-2023-40550

https://www.suse.com/security/cve/CVE-2023-40551

Plugin Details

Severity: High

ID: 193725

File Name: suse_SU-2024-1368-1.nasl

Version: 1.0

Type: local

Agent: unix

Published: 4/23/2024

Updated: 4/23/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-28737

CVSS v3

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.2

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2023-40547

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:shim, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2024

Vulnerability Publication Date: 6/16/2022

Reference Information

CVE: CVE-2022-28737, CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551

SuSE: SUSE-SU-2024:1368-1