2 vulnerabilities have been fixed in the GRUB7 bootloader that allow bypassing the UEFI Secure Boot mechanism and allowing unverified code to run, for example, injecting malware that works at the bootloader or kernel level. Additionally, there is one vulnerability in the shim layer, which also allows you to bypass UEFI Secure Boot. The group of vulnerabilities was codenamed Boothole 3, similar to similar problems previously identified in the bootloader.
To fix problems in GRUB2 and shim, distributions will be able to use the SBAT (UEFI Secure Boot Advanced Targeting) mechanism, which is supported for GRUB2, shim and fwupd. SBAT was developed in collaboration with Microsoft and involves adding additional metadata to the UEFI component executable files, which includes information about the manufacturer, product, component, and version. The specified metadata is digitally signed and can be separately included in the lists of allowed or prohibited components for UEFI Secure Boot.
Most Linux distributions use a small shim layer, digitally signed by Microsoft, for verified boot in UEFI Secure Boot mode. This layer verifies GRUB2 with its own certificate, which allows distribution developers not to certify every kernel and GRUB update with Microsoft. Vulnerabilities in GRUB2 allow you to achieve the execution of your code at the stage after successful verification of shim, but before loading the operating system, wedging into the chain of trust with the Secure Boot mode active and gaining full control over the further boot process, including booting another OS, modifying operating system components system and bypass lockdown protection.
To fix problems in the bootloader, distributions will have to create new internal digital signatures and update installers, bootloaders, kernel packages, fwupd-firmware and shim-layer. Prior to the introduction of SBAT, updating the list of revoked certificates (dbx, UEFI Revocation List) was a prerequisite for completely blocking the vulnerability, since an attacker, regardless of the operating system used, could use boot media with an old vulnerable version of GRUB2 certified by a digital signature to compromise UEFI Secure Boot .
Instead of revoking the signature, SBAT allows you to block its use for individual component version numbers without the need to revoke keys for Secure Boot. Blocking vulnerabilities through SBAT does not require the use of a UEFI CRL (dbx), but is performed at the level of replacing the internal key to generate signatures and update GRUB2, shim, and other boot artifacts supplied by distributions. SBAT support has now been added to most popular Linux distributions.
Identified vulnerabilities:
- CVE-2021-3696, CVE-2021-3695 - Heap buffer overflows when processing specially designed PNG images, which can theoretically be used to organize the execution of attacking code and bypass UEFI Secure Boot. It is noted that the problem is difficult to exploit, since creating a working exploit requires taking into account a large number of factors and the availability of information about the memory layout.
- CVE-2021-3697 - Buffer underflow in JPEG image processing code. Exploiting the problem requires knowledge of the memory layout and is at about the same level of complexity as the PNG problem (CVSS 7.5).
- CVE-2022-28733 - An integer overflow in the grub_net_recv_ip4_packets() function that allows you to influence the rsm->total_len parameter by sending a specially crafted IP packet. The issue is marked as the most dangerous of the presented vulnerabilities (CVSS 8.1). If successfully exploited, the vulnerability allows data to be written outside the buffer boundary by allocating a deliberately smaller memory size.
- CVE-2022-28734 - Single byte buffer overflow while processing split HTTP headers. The issue can cause GRUB2 metadata to be corrupted (write a null byte just past the end of the buffer) when parsing specially crafted HTTP requests.
- CVE-2022-28735 - An issue in the shim_lock verifier that allows loading non-kernel files. The vulnerability could be exploited to boot unsigned kernel modules or unverified code into UEFI Secure Boot mode.
- CVE-2022-28736 - Accessing an already freed memory area in the grub_cmd_chainloader() function by re-running the chainloader command used to load operating systems not supported by GRUB2. Exploitation can lead to execution of attacker code if the attacker is able to determine the specifics of memory allocation in GRUB2
- CVE-2022-28737 - Buffer overflow in shim layer in handle_image() function when loading and executing custom EFI images.
Source: opennet.ru