VU#616257: Microsoft-signed UE... Note

VU#616257: Microsoft-signed UEFI shim bootloaders vulnerable to Secure Boot bypass

Microsoft is revoking trust for older versions of the open-source shim bootloader due to a Secure Boot bypass vulnerability. This vulnerability allows attackers to execute arbitrary code early in the boot process, circumventing security measures. The affected shim bootloaders, primarily versions 0.9 and earlier, will be added to the Microsoft UEFI Forbidden Signature Database (DBX). Once the DBX is updated, these bootloaders will be disallowed from running.The shim project facilitates Secure Boot for Linux distributions by acting as a bridge between firmware and the operating system. However, vendors who forked older, vulnerable versions without updating created a persistent supply chain risk. Researchers identified specific vulnerable shim bootloaders from various vendors, including Red Hat, baramundi, and Oracle.Exploiting this flaw enables attackers with boot modification privileges to gain persistent control, potentially loading unsigned kernel components that survive reboots. These malicious components can evade operating system security and endpoint detection solutions. To mitigate this, users must apply the latest vendor software and bootloader updates.Additionally, applying Microsoft's DBX update is crucial to block vulnerable bootloaders. Enterprises and developers should test these updates thoroughly before widespread deployment. It is recommended to update the authorized signature database (DB) before applying DBX revocations. Tools are available to audit and verify DBX updates and identify revoked boot components.