CVE-2023-40551: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2023-40551) was discovered in the MZ binary format in Shim, a first-stage UEFI boot loader. The vulnerability was disclosed on January 29, 2024, and affects various versions of the Shim bootloader up to version 15.8. This security flaw allows an out-of-bounds read to occur during the system's boot phase (NVD, Red Hat).

The vulnerability occurs when handling MZ binaries, where crafted PE headers can lead to an out-of-bounds read. The issue has been assigned a CVSS v3.1 base score of 5.1 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H. The attack requires high privileges to deploy a malicious crafted MZ binary into the boot partition or physical access to the targeted system (Bugzilla).

The vulnerability can result in a system crash or potential exposure of sensitive data during the system's boot phase. However, there is limited control over the information exposed once the attack is performed, resulting in a low confidentiality impact rating (NVD, Bugzilla).

The vulnerability has been fixed in Shim version 15.8. Multiple vendors have released security updates to address this issue. It's important to note that when updating Shim, GRUB2 must also be updated simultaneously or before the Shim update to maintain system bootability. Failure to update GRUB2 could result in an unbootable system (Red Hat, Debian).