Information about a vulnerability (CVE-2023-4001) in patches for the GRUB2 boot loader prepared by Red Hat has been disclosed. The vulnerability allows many systems with UEFI to bypass the password check set in GRUB2 to restrict access to the boot menu or bootloader command line. The vulnerability is caused by a change added by Red Hat to the GRUB2 package shipped with RHEL and Fedora Linux. The problem does not appear in the main GRUB2 project and only affects distributions that have applied additional Red Hat patches.
The problem is caused by an error in the logic of how the UUID is used by the boot loader to find a device with a configuration file (for example, "/boot/efi/EFI/fedora/grub.cfg") containing a password hash. To bypass authentication, a user with physical access to the computer can connect an external drive, such as a USB Flash, setting it to a UUID that matches the identifier of the boot partition /boot of the attacked system.
Many UEFI systems process external drives first and place them in the list of detected devices before stationary drives, so the /boot partition prepared by the attacker will have higher processing priority, and accordingly, GRUB2 will try to load the configuration file from this partition. When searching for a partition using the "search" command in GRUB2, only the first UUID match is determined, after which the search stops. If the main configuration file is not found in a particular partition, GRUB2 will issue a command prompt that allows you to have full control over the rest of the boot process.
The "lsblk" utility can be used to determine the UUID of a partition by a local unprivileged user, but an outside user who does not have access to the system but can observe the boot process can, on some distributions, determine the UUID from diagnostic messages shown during boot. The vulnerability has been addressed by Red Hat by adding a new argument to the "search" command that allows the UUID scan operation to be bound only to block devices used to run the boot manager (i.e. the /boot partition must only be on the same drive as the EFI system partition ).
Source: opennet.ru