An bayyana bayanai game da lahani guda 8 a cikin bootloader na GRUB2, wanda ke ba ka damar ƙetare hanyar UEFI Secure Boot da kuma gudanar da lambar da ba a tantance ba, alal misali, aiwatar da malware da ke gudana a matakin bootloader ko kernel.
Bari mu tuna cewa a yawancin rabe-raben Linux, don tabbatar da yin booting a cikin UEFI Secure Boot yanayin, ana amfani da ƙaramin shim Layer, Microsoft ta sa hannu ta dijital. Wannan Layer yana tabbatar da GRUB2 tare da takaddun shaida, wanda ke ba masu haɓaka rarraba damar samun kowane kwaya da sabunta GRUB ta Microsoft. Rashin lahani a cikin GRUB2 yana ba ku damar cimma aiwatar da lambar ku a matakin bayan nasarar tabbatar da shim, amma kafin shigar da tsarin aiki, shiga cikin sarkar amincewa lokacin da Secure Boot yanayin ke aiki kuma yana samun cikakken iko akan ci gaba da aikin taya, gami da loda wani OS, gyaggyara tsarin sassan tsarin aiki da ketare Kariyar Kulle.
Kamar yadda yake da rashin lafiyar BootHole na bara, sabunta bootloader bai isa ya toshe matsalar ba, tun da mai kai hari, ba tare da la'akari da tsarin aiki da ake amfani da shi ba, zai iya amfani da kafofin watsa labarai mai bootable tare da tsohuwar, sa hannu na dijital, sigar GRUB2 mai rauni don daidaitawa UEFI Secure Boot. Za a iya magance matsalar kawai ta hanyar sabunta jerin sokewar takardar shaidar (dbx, UEFI List of Revocation), amma a wannan yanayin ikon yin amfani da tsofaffin kafofin watsa labaru tare da Linux za a rasa.
A kan tsarin da ke da firmware wanda ke da lissafin sabunta takardar shedar, kawai sabunta ginin rarraba Linux za a iya lodawa a cikin UEFI Secure Boot yanayin. Rarrabawa za su buƙaci sabunta masu sakawa, bootloaders, fakitin kernel, fwupd firmware da shim Layer, samar da sabbin sa hannu na dijital a gare su. Za a buƙaci masu amfani don sabunta hotunan shigarwa da sauran kafofin watsa labaru masu bootable, da kuma ɗora lissafin soke takaddun shaida (dbx) cikin firmware na UEFI. Kafin sabunta dbx zuwa UEFI, tsarin ya kasance mai rauni ba tare da la'akari da shigar da sabuntawa a cikin OS ba. Ana iya tantance matsayin rashin ƙarfi akan waɗannan shafuka: Ubuntu, SUSE, RHEL, Debian.
Don magance matsalolin da suka taso lokacin rarraba takaddun shaida da aka soke, a nan gaba ana shirin yin amfani da tsarin SBAT (UEFI Secure Boot Advanced Targeting), wanda aka aiwatar da tallafi don GRUB2, shim da fwupd, kuma za a fara daga sabuntawa na gaba. da aka yi amfani da shi maimakon aikin da kunshin dbxtool ya bayar. SBAT an haɓaka shi tare da Microsoft kuma ya haɗa da ƙara sabon metadata zuwa fayilolin aiwatarwa na abubuwan UEFI, wanda ya haɗa da bayani game da masana'anta, samfuri, sashi da sigar. Ƙayyadadden metadata an ƙware tare da sa hannu na dijital kuma ana iya haɗa shi cikin jerin abubuwan da aka yarda ko aka haramta don UEFI Secure Boot. Don haka, SBAT za ta ba ka damar sarrafa lambobin sigar sassan yayin sokewa ba tare da buƙatar sabunta maɓallan don Secure Boot ba kuma ba tare da samar da sabbin sa hannun kernel, shim, grub2 da fwupd ba.
Gane rashin lahani:
- CVE-2020-14372 - Yin amfani da umarnin acpi a cikin GRUB2, mai amfani mai gata akan tsarin gida zai iya ɗaukar tebur ACPI da aka gyara ta hanyar sanya SSDT (Table Siffar Sirri na Biyu) a cikin /boot/efi directory da canza saituna a grub.cfg. Kodayake Yanayin Boot mai aminci yana aiki, SSDT da aka tsara za a aiwatar da kwaya kuma za'a iya amfani da shi don kashe kariyar LockDown wanda ke toshe hanyoyin UEFI Amintaccen Boot. Sakamakon haka, maharin zai iya samun nasarar loda kayan masarufi ko lambar aiki ta hanyar kexec, ba tare da duba sa hannun dijital ba.
- CVE-2020-25632 damar ƙwaƙwalwar ajiya ce ta amfani bayan-kyauta a cikin aiwatar da umarnin rmmod, wanda ke faruwa lokacin da aka yi ƙoƙarin sauke kowane tsari ba tare da la'akari da abubuwan dogaro da ke tattare da shi ba. Lalacewar ba ta keɓance ƙirƙirar amfani wanda zai iya haifar da aiwatar da lambar wucewa tabbacin Tabbataccen Boot.
- CVE-2020-25647 Ƙirar iyaka ta rubuta a cikin aikin grub_usb_device_initialize() da ake kira lokacin fara na'urorin USB. Ana iya amfani da matsalar ta hanyar haɗa na'urar USB ta musamman da ke samar da sigogi waɗanda girmansu bai dace da girman ma'ajin da aka keɓe don tsarin USB ba. Mai hari zai iya cimma aiwatar da lambar da ba a tabbatar da ita ba a cikin Secure Boot ta hanyar sarrafa na'urorin USB.
- CVE-2020-27749 buffer ne ambaliya a cikin aikin grub_parser_split_cmdline(), wanda za'a iya lalacewa ta hanyar tantance masu canji mafi girma fiye da 2 KB akan layin umarni GRUB1. Rashin lahani yana ba da damar aiwatar da lamba don ƙetare Secure Boot.
- CVE-2020-27779 - Umurnin cutmem yana bawa maharin damar cire kewayon adireshi daga ƙwaƙwalwar ajiya don ƙetare Secure Boot.
- CVE-2021-3418 - Canje-canje ga shim_lock ya ƙirƙiri ƙarin vector don yin amfani da rashin lafiyar bara CVE-2020-15705. Ta hanyar shigar da takardar shaidar da aka yi amfani da ita don sanya hannu kan GRUB2 a cikin dbx, GRUB2 ya ba da izinin loda kowane kwaya kai tsaye ba tare da tabbatar da sa hannun ba.
- CVE-2021-20225 - Yiwuwar rubuta bayanan baya-bayan nan yayin gudanar da umarni tare da adadi mai yawa na zaɓuɓɓuka.
- CVE-2021-20233 - Yiwuwar rubuta bayanai ba tare da iyaka ba saboda kuskuren ƙididdige girman buffer lokacin amfani da ƙididdiga. Lokacin da ake ƙididdige girman, an ɗauka cewa ana buƙatar haruffa uku don tserewa magana ɗaya, yayin da a zahiri ana buƙatar huɗu.
source: budenet.ru