Ruzivo rwakaburitswa pamusoro pekusagadzikana kuviri muGRUB2 bootloader, izvo zvinogona kutungamira mukuita kodhi kana uchishandisa akagadzirwa mafonti uye kugadzirisa mamwe Unicode kutevedzana. Kusagadzikana kunogona kushandiswa kupfuura iyo UEFI Yakachengeteka Boot yakasimbiswa bhutsu meshini.
Zvinozivikanwa vulnerabilities:
- CVE-2022-2601 - Iyo buffer inofashukira mune grub_font_construct_glyph () basa kana uchigadzira akagadzirwa mafonti muiyo pf2 fomati, inoitika nekuda kwekuverengera kusiri iko kweiyo max_glyph_size paramende uye kugoverwa kwenzvimbo yekurangarira iri pachena idiki pane zvakafanira. gadzirisa glyphs.
- CVE-2022-3775 Kunyora kwekunze-kwemaganho kunoitika kana uchipa mamwe Unicode kutevedzana mune yakanyatso dhizaini font. Dambudziko riri mukodhi yekugadzira font uye inokonzerwa nekushaikwa kwecheki yakakodzera kuti ive nechokwadi chekuti hupamhi nekukwirira kweglyph zvinoenderana nehukuru hweiyo bitmap iripo. Anorwisa anogona kugadzira chinopinza nenzira inoita kuti muswe wedata unyorwe kunze kwebhafa yakagoverwa. Zvinocherechedzwa kuti kunyangwe kuomarara kwekushandisa kusazvibata, kuunza dambudziko kune kodhi kuuraya hakuna kubviswa.
Iyo gadziriso yakaburitswa sechigamba. Mamiriro ekubvisa kusagadzikana mukugovera anogona kuongororwa pamapeji aya: Ubuntu, SUSE, RHEL, Fedora, Debian. Kugadzirisa matambudziko muGRUB2, hazvina kukwana kungovandudza pasuru; iwe unozodawo kugadzira mitsva yemukati masiginecha edhijitari uye nekuvandudza vanoisa, bootloaders, kernel mapakeji, fwupd firmware uye shim layer.
Mazhinji eLinux anogovera anoshandisa diki shim layer yakasainwa neMicrosoft yekusimbisa booting muUEFI Chengetedza Boot mode. Iyi nhanho inosimbisa GRUB2 nechitupa chayo, iyo inobvumira vanogadzira kugovera kuti vasave nechero kernel uye GRUB update yakasimbiswa neMicrosoft. Kusagadzikana muGRUB2 kunobvumidza iwe kuti uwane kuitiswa kwekodhi yako pachinhanho mushure mekubudirira shim verification, asi usati warodha sisitimu yekushandisa, kupinda muketani yekuvimba kana Chengetedza Boot mode ichishanda uye kuwana hutongi hwakazara pamusoro peimwe bhutsu maitiro, kusanganisira. kurodha imwe OS, kugadzirisa masisitimu ekushandisa masisitimu uye nekupfuura Lockdown dziviriro.
Kuvhara kusazvibata pasina kudzoreredza siginecha yedhijitari, kugovera kunogona kushandisa iyo SBAT (UEFI Yakachengeteka Boot Advanced Targeting) maitiro, anotsigirwa GRUB2, shim uye fwupd mune inonyanya kufarirwa Linux kugovera. SBAT yakagadzirwa pamwe chete neMicrosoft uye inosanganisira kuwedzera mamwe metadata kumafaira anogona kuitiswa ezvikamu zveUEFI, izvo zvinosanganisira ruzivo nezve mugadziri, chigadzirwa, chikamu uye shanduro. Iyo metadata yakatsanangurwa inosimbiswa nedhijitari siginicha uye inogona kuverengerwa zvakasiyana muzvinyorwa zvinotenderwa kana zvinorambidzwa zvikamu zveUEFI Secure Boot.
SBAT inokutendera kuti uvhare kushandiswa kwemasiginecha edhijitari yenhamba dzechikamu chechikamu pasina kudzoreredza makiyi eSecure Boot. Kuvharisa kusasimba kuburikidza neSBAT ββhakudi kushandiswa kweUEFI setifiketi rekudzosa rondedzero (dbx), asi inoitwa pamwero wekutsiva kiyi yemukati kugadzira masiginecha uye kugadzirisa GRUB2, shim uye zvimwe zvebhutsu zvigadzirwa zvinopihwa nekugovera. Pasati paiswa SBAT, kuvandudza rondedzero yekudzoserwa kwechitupa (dbx, UEFI Revocation List) chaive chinhu chinodiwa kuti uvhare zvachose kusagadzikana, sezvo munhu anorwisa, zvisinei nehurongwa hwekushandisa hunoshandiswa, aigona kushandisa bootable midhiya neshanduro yekare isina njodzi yeGRUB2, inosimbiswa nedhijitari siginicha, kukanganisa UEFI Yakachengeteka Boot.
Source: opennet.ru