In GRUB2 bootloader 8 vulnerabilities. most dangerous (), which is codenamed BootHole, bypass the UEFI Secure Boot mechanism and install unverified malware. A feature of this vulnerability is that updating GRUB2 is not enough to eliminate it, since an attacker can use bootable media with an old vulnerable version, certified by a digital signature. An attacker can compromise the verification process not only for Linux, but also for other operating systems, including .
The problem is solved only by updating the system (dbx, UEFI Revocation List), but in this case, the ability to use old Linux installation media will be lost. Some hardware manufacturers have already included an updated list of revoked certificates in their firmware, on such systems in UEFI Secure Boot mode it will be possible to boot only updated builds of Linux distributions.
To eliminate the vulnerability in distributions, it will also be necessary to update installers, bootloaders, kernel packages, fwupd-firmware and shim-layer, generating new digital signatures for them. Users will need to update installation images and other bootable media, as well as upload a certificate revocation list (dbx) to the UEFI firmware. Before updating dbx to UEFI, the system remains vulnerable regardless of the installation of updates in the OS.
Vulnerability a buffer overflow that can be exploited to execute arbitrary code during the download process.
The vulnerability manifests itself when parsing the contents of the grub.cfg configuration file, which is usually located in the ESP (EFI System Partition) partition and can be edited by an attacker with administrator rights without violating the integrity of the signed shim and GRUB2 executable files. Because of in the configuration parser code, the YY_FATAL_ERROR fatal parsing error handler only displayed a warning, but did not exit the program. The danger of the vulnerability is reduced by the need to have privileged access to the system, however, the problem may be required for the introduction of hidden rootkits if you have physical access to the equipment (if you can boot from your media).
Most Linux distributions use a small , digitally signed by Microsoft. This layer verifies GRUB2 with its own certificate, which allows distribution developers not to certify every kernel and GRUB update with Microsoft. The vulnerability allows, by changing the contents of grub.cfg, to achieve the execution of its code at the stage after successful verification of shim, but before loading the operating system, wedged into the chain of trust with the Secure Boot mode active and gained full control over the further boot process, including booting another OS , modification of operating system components and protection bypass .
Other vulnerabilities in GRUB2:
- - buffer overflow due to the lack of checking the size of the allocated memory area in grub_malloc;
- - Integer overflow in grub_squash_read_symlink, which may cause data to be written outside the allocated buffer;
- - integer overflow in read_section_from_string, which can lead to writing data outside the allocated buffer;
- - Integer overflow in grub_ext2_read_link, which may cause data to be written outside the allocated buffer;
- - allows you to load unsigned kernels during direct boot in Secure Boot mode without the shim layer;
- - access to an already freed memory area (use-after-free) when redefining a function at runtime;
- - integer overflow in initrd size handler.
Hotfix package updates released for , , ΠΈ . For GRUB2 patch set.
Source: opennet.ru