An gyara lahani guda 2 a cikin bootloader na GRUB7 wanda ke ba ku damar ƙetare tsarin UEFI Secure Boot kuma ku gudanar da lambar da ba a tantance ba, alal misali, gabatar da malware da ke gudana a matakin bootloader ko kernel. Bugu da ƙari, akwai lahani guda ɗaya a cikin shim Layer, wanda kuma yana ba ku damar ƙetare UEFI Secure Boot. An sanya wa rukunin raunin suna Boothole 3, kama da irin matsalolin da aka gano a baya a cikin bootloader.
Don magance matsaloli a cikin GRUB2 da shim, rarrabawa za su iya amfani da tsarin SBAT (UEFI Secure Boot Advanced Targeting), wanda ke goyan bayan GRUB2, shim da fwupd. SBAT an haɓaka shi tare da Microsoft kuma ya haɗa da ƙara ƙarin metadata zuwa fayilolin aiwatarwa na abubuwan UEFI, wanda ya haɗa da bayani game da masana'anta, samfuri, sashi da sigar. Ƙayyadadden metadata an ƙware tare da sa hannu na dijital kuma ana iya haɗa shi daban a cikin jerin abubuwan da aka yarda ko aka haramta don UEFI Secure Boot.
Yawancin rarrabawar Linux suna amfani da ƙaramin shim Layer da Microsoft ya sa hannu a dijital don tabbatar da yin booting a cikin UEFI Secure Boot yanayin. Wannan Layer yana tabbatar da GRUB2 tare da takaddun shaida, wanda ke ba masu haɓaka rarraba damar samun kowane kwaya da sabunta GRUB ta Microsoft. Rashin lahani a cikin GRUB2 yana ba ku damar cimma aiwatar da lambar ku a matakin bayan nasarar tabbatar da shim, amma kafin shigar da tsarin aiki, shiga cikin sarkar amincewa lokacin da Secure Boot yanayin ke aiki kuma yana samun cikakken iko akan ci gaba da aikin taya, gami da loda wani OS, gyaggyara tsarin sassan tsarin aiki da ketare Kariyar Kulle.
Don gyara matsaloli a cikin bootloader, rarrabawa dole ne ya haifar da sabbin sa hannun dijital na ciki da sabunta masu sakawa, bootloaders, fakitin kernel, fwupd firmware da shim Layer. Kafin gabatarwar SBAT, sabunta jerin sokewar takardar shaidar (dbx, UEFI List of Revocation) wani abu ne da ake buƙata don toshe raunin gaba ɗaya, tun da mai kai hari, ba tare da la'akari da tsarin aiki da aka yi amfani da shi ba, na iya amfani da kafofin watsa labarai mai bootable tare da tsohuwar sigar GRUB2 mai rauni, bokan ta hanyar sa hannun dijital, don daidaitawa UEFI Secure Boot.
Maimakon soke sa hannu, SBAT yana ba ku damar toshe amfani da shi don lambobin sigar ɓangarori ɗaya ba tare da soke maɓallan don Secure Boot ba. Kashe raunin ta hanyar SBAT baya buƙatar amfani da lissafin soke takardar shedar UEFI (dbx), amma ana yin shi a matakin maye gurbin maɓallin ciki don samar da sa hannu da sabunta GRUB2, shim da sauran kayan aikin taya da aka kawo ta hanyar rarrabawa. A halin yanzu, an riga an ƙara tallafin SBAT zuwa mafi yawan shahararrun rabawa na Linux.
Gane rashin lahani:
- CVE-2021-3696, CVE-2021-3695 babban buffer ne mai zubewa yayin sarrafa hotuna na musamman na PNG, waɗanda za a iya amfani da su a zahiri don aiwatar da lambar maharin da kewaye UEFI Secure Boot. An lura cewa matsalar yana da wuya a yi amfani da shi, tun da ƙirƙirar aikin aiki yana buƙatar yin la'akari da adadi mai yawa da kuma samun bayanai game da shimfidar ƙwaƙwalwar ajiya.
- CVE-2021-3697 - Matsakaicin buffer a cikin lambar sarrafa hoto na JPEG. Yin amfani da batun yana buƙatar sanin tsarin ƙwaƙwalwar ajiya kuma yana kusan daidai matakin rikitarwa kamar batun PNG (CVSS 7.5).
- CVE-2022-28733 - Matsakaicin adadin lamba a cikin aikin grub_net_recv_ip4_packets() yana ba da damar rsm-> jimlar_len siginar ta shafi aika fakitin IP na musamman. An yiwa batun alama a matsayin mafi haɗari na raunin da aka gabatar (CVSS 8.1). Idan an yi nasarar yin amfani da shi, raunin yana ba da damar rubuta bayanai fiye da kan iyaka ta hanyar keɓance ƙaramin girman ƙwaƙwalwar ajiya da gangan.
- CVE-2022-28734 - Matsakaicin-byte guda-ɗaya ya mamaye lokacin da ake sarrafa fitattun masu kan HTTP. Batu na iya haifar da ɓarna na metadata na GRUB2 (rubutun ɓoyayyen byte bayan ƙarshen buffer) lokacin da aka kera buƙatun HTTP na musamman.
- CVE-2022-28735 Wani batu a cikin shim_lock mai tabbatarwa yana ba da damar loda fayil mara-kwaya. Ana iya amfani da raunin don loda samfuran kwaya mara sa hannu ko lambar da ba ta da tabbas a cikin UEFI Secure Boot yanayin.
- CVE-2022-28736 An riga an sami 'yantar ƙwaƙwalwar ajiya a cikin aikin grub_cmd_chainloader() ta hanyar sake aiwatar da umarnin mai ɗaukar kaya, wanda ake amfani da shi don taya tsarin aiki wanda GRUB2 bai goyan bayansa ba. Yin amfani da shi zai iya haifar da aiwatar da lambar mai hari idan maharin ya iya tantance adadin ƙwaƙwalwar ajiya a cikin GRUB2
- CVE-2022-28737 - Maɓallin buffer a cikin shim Layer yana faruwa a cikin aikin handle_image () lokacin lodawa da aiwatar da hotunan EFI da aka ƙera.
source: budenet.ru