CVE-2022-28737: 
NixOS vulnerability analysis and mitigation

CVE-2022-28737 is a security vulnerability in the shim bootloader that affects EFI executable handling. The vulnerability was discovered in 2022 and affects shim versions up to (excluding) 15.6. The issue exists in the handle_image() function when shim attempts to load and execute crafted EFI executables (NVD, MITRE).

The vulnerability stems from an overflow condition in the handle_image() function, which processes the SizeOfRawData field from each section to be loaded in EFI executables. The function incorrectly handles these values, potentially allowing out-of-bound writes into memory. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to perform out-of-bound writes into memory, potentially leading to arbitrary code execution. This could compromise the security of the boot process and potentially circumvent secure boot protections (Openwall).

The vulnerability was fixed in shim version 15.7. Red Hat and other vendors have released security updates to address this issue. Full mitigation requires updated shim with latest SBAT (Secure Boot Advanced Targeting) data provided by distributions and vendors. The fix is available in the -updates pocket for various Ubuntu releases including focal and jammy (Red Hat, Ubuntu).