ProHoster > Blog > nkhani zapaintaneti > Zowonongeka zovuta mu GRUB2 zomwe zimakulolani kudutsa UEFI Safe Boot

Zowonongeka zovuta mu GRUB2 zomwe zimakulolani kudutsa UEFI Safe Boot

Zambiri zawululidwa za zovuta zisanu ndi zitatu mu bootloader ya GRUB2 yomwe imalola kuti makina a UEFI Safe Boot adulidwe ndi nambala yosatsimikizika kuti iyambitsidwe, mwachitsanzo, pobaya pulogalamu yaumbanda yomwe ikuyenda pa bootloader kapena kernel level.

Tiyeni tikumbukire kuti m'masukulu ambiri LinuxKugawa kwa boot yotsimikizika mu UEFI Secure Boot mode kumagwiritsa ntchito gawo laling'ono la shim, losainidwa ndi Microsoft pa digito. Gawoli limatsimikizira GRUB2 ndi satifiketi yakeyake, kuchotsa kufunikira kwa opanga magawidwe kuti adziwitse Microsoft za kernel iliyonse ndi zosintha za GRUB. Zovuta mu GRUB2 zimalola kugwiritsa ntchito ma code mosasamala pambuyo potsimikizira bwino shim, koma dongosolo loyendetsera ntchito lisanayambe. Izi zimalola owukira kulowa mu unyolo wodalirika pamene Secure Boot yayatsidwa ndikupeza ulamuliro wonse pa njira yotsatira yoyambira, kuphatikizapo kuyambitsa OS ina, kusintha zigawo za dongosolo loyendetsera ntchito, komanso kupewa chitetezo cha Lockdown.

Monga momwe zinalili ndi vuto la BootHole chaka chatha, kusintha bootloader sikokwanira kuletsa vutoli, chifukwa wowukira, mosasamala kanthu za makina ogwiritsira ntchito, angagwiritse ntchito boot media yokhala ndi mtundu wakale, wosatetezeka, wosainidwa ndi digito wa GRUB2 kuti asokoneze UEFI Secure Boot. Vutoli lingathe kuthetsedwa pokhapokha posintha UEFI Revocation List (DBX), koma izi zidzaletsa kugwiritsa ntchito installation media yakale. Linux.

Pa makina omwe ali ndi firmware yomwe ili ndi mndandanda wosinthidwa wa satifiketi zochotsedwa, ma distribution builds osinthidwa okha ndi omwe azitha kuyatsa mu UEFI Secure Boot mode. LinuxMa distributions adzafunika kusintha ma installer, ma bootloader, ma kernel packages, fwupd firmware, ndi shim layer, kupanga ma signature atsopano a digito kwa iwo. Ogwiritsa ntchito adzafunika kusintha zithunzi zoyika ndi ma bootable media ena, komanso kuyika mndandanda wa ma revoked certificates (dbx) mu UEFI firmware. Mpaka dbx mu UEFI isinthidwe, dongosololi lidzakhalabe losatetezeka mosasamala kanthu za zosintha za OS. Mkhalidwe wa kukonza kwa vulnerability ukhoza kuyesedwa patsamba lotsatirali: Ubuntu, SUSE, RHEL, Debian.

Kuthana ndi zovuta zomwe zimabwera chifukwa chogawa ziphaso zochotsedwa, SBAT (UEFI Secure Boot Advanced Targeting) yakonzedwa kuti igwiritsidwe ntchito mtsogolo. Thandizo pamakinawa akugwiritsidwa ntchito kwa GRUB2, shim, ndi fwupd. Kuyambira ndi zosintha zamtsogolo, zidzalowa m'malo momwe zimaperekedwa ndi phukusi la dbxtool. SBAT idapangidwa limodzi ndi Microsoft ndipo imaphatikizapo kuwonjezera metadata kuzinthu za UEFI, kuphatikiza zambiri za wopanga, chogulitsa, chigawocho, ndi mtundu. Metadata iyi imasainidwa pakompyuta ndipo imatha kuphatikizidwanso pamndandanda wazinthu zololedwa kapena zoletsedwa za UEFI Secure Boot. Chifukwa chake, SBAT idzalola kuti pakhale kusintha kwa manambala amtundu wagawo panthawi yakuchotsedwa popanda kufunikira kokonzanso makiyi Otetezeka a Boot kapena kupanga siginecha zatsopano za kernel, shim, grub2, ndi fwupd.

Zowopsa zomwe zidazindikirika:

  • CVE-2020-14372 - Pogwiritsa ntchito lamulo la acpi mu GRUB2, wogwiritsa ntchito mwayi pamakina akomweko amatha kuyika matebulo osinthidwa a ACPI poyika Sekondale System Description Table (SSDT) ​​mu /boot/efi chikwatu ndikusintha zosintha mu grub.cfg. Ngakhale Boot Yotetezedwa ikuyatsidwa, SSDT yomwe ikufunsidwa idzachitidwa ndi kernel ndipo ingagwiritsidwe ntchito kuletsa chitetezo cha LockDown, chomwe chimalepheretsa UEFI Secure Boot bypasses. Zotsatira zake, wowukira amatha kuyika gawo la kernel kapena kupanga code kudzera pamakina a kexec, osatsimikizira siginecha ya digito.
  • CVE-2020-25632 ndi chiwopsezo chogwiritsa ntchito pambuyo pake pakukhazikitsa lamulo la rmmod, zomwe zimachitika poyesa kutsitsa gawo popanda kuganizira zodalira zake. Kusatetezeka kumeneku sikulepheretsa kupanga mwayi womwe ungayambitse kutsata malamulo podutsa kutsimikizira kwa Boot Yotetezedwa.
  • CVE-2020-25647 - chotchinga chotuluka m'malire lembani mu grub_usb_device_initialize() ntchito, yomwe imatchedwa pakuyambitsa chipangizo cha USB. Nkhaniyi ingagwiritsidwe ntchito polumikiza chipangizo cha USB chopangidwa mwapadera chomwe chimapereka magawo omwe kukula kwake sikufanana ndi buffer yoperekedwa kwa zida za USB. Wowukira atha kuyika nambala yomwe sinatsimikizidwe ndi Secure Boot poyendetsa zida za USB.
  • CVE-2020-27749 - Kusefukira kwa buffer mu grub_parser_split_cmdline() ntchito kumatha kuyambitsidwa ndikuwonetsa zosintha zazikulu kuposa 1 KB pamzere wolamula wa GRUB2. Chiwopsezochi chimalola kuti ma code asungidwe podutsa Secure Boot.
  • CVE-2020-27779 - Lamulo la cutmem limalola wowukira kuti achotse maadiresi angapo pamtima kuti adutse Safe Boot.
  • CVE-2021-3418 - Zosintha pa shim_lock zidapanga vekitala yowonjezerapo kuti iwononge chiwopsezo cha CVE-2020-15705 chaka chatha. Mukayika satifiketi yomwe imagwiritsidwa ntchito kusaina GRUB2 mu dbx, GRUB2 idalola kernel iliyonse kuti ikwezedwe mwachindunji popanda kutsimikizira siginecha.
  • CVE-2021-20225 - Kuthekera kwa kulemba deta kupitirira mapeto a buffer pamene mukuyendetsa malamulo ndi zosankha zambiri.
  • CVE-2021-20233 - chiwopsezo cha kusefukira kwa bafa chimakhalapo chifukwa cha kuwerengera kolakwika kwa kukula kwa buffer mukamagwiritsa ntchito zizindikiro. Mawerengedwewo ankaganiza kuti zilembo zitatu zimayenera kuthawa chizindikiro chimodzi, pamene zinayi ndizofunikadi.

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster