Bofokoli ba 2 bo kentsoe bootloader ea GRUB7 e u lumellang ho feta mochini oa UEFI Secure Boot le ho tsamaisa khoutu e sa netefatsoang, mohlala, kenya ts'ebetso ea malware e sebetsang boemong ba bootloader kapa kernel. Ho feta moo, ho na le ts'oaetso e le 'ngoe ka har'a shim layer, e u lumellang hore u fete UEFI Secure Boot. Sehlopha sa bofokoli se ne se bitsoa Bootthole 3, se ts'oanang le mathata a ts'oanang a neng a tsejoa nakong ea bootloader.
Ho rarolla mathata ho GRUB2 le shim, li-distributions li tla khona ho sebelisa mochine oa SBAT (UEFI Secure Boot Advanced Targeting), o tšehetsoeng bakeng sa GRUB2, shim le fwupd. SBAT e ile ea ntlafatsoa ka kopanelo le Microsoft 'me e kenyelletsa ho kenya metadata e eketsehileng lifaeleng tse ka sebetsoang tsa likarolo tsa UEFI, tse kenyelletsang tlhahisoleseling mabapi le moetsi, sehlahisoa, karolo le mofuta. Metadata e boletsoeng e netefalitsoe ka signature ea dijithale 'me e ka kenyelletsoa ka thoko lethathamong la likarolo tse lumelletsoeng kapa tse thibetsoeng bakeng sa UEFI Secure Boot.
Liphatlalatso tse ngata tsa Linux li sebelisa lesela le lenyenyane la shim le saennweng ke Microsoft bakeng sa booting e netefalitsoeng ka UEFI Secure Boot mode. Lera lena le netefatsa GRUB2 ka setifikeiti sa eona, se lumellang baetsi ba kabo ho se be le kernel e 'ngoe le e' ngoe le ntlafatso ea GRUB e netefalitsoeng ke Microsoft. Bofokoli ho GRUB2 bo u lumella ho fihlela ts'ebetso ea khoutu ea hau sethaleng kamora netefatso e atlehileng ea shim, empa pele o kenya sistimi ea ts'ebetso, o kenella ka har'a ketane ea ts'epo ha Sireletsehile Boot mode e sebetsa mme o fumana taolo e felletseng mabapi le ts'ebetso e tsoelang pele ea boot, ho kenyeletsoa. ho kenya OS e 'ngoe, ho fetola sistimi ea likarolo tsa sistimi le ho feta ts'ireletso ea Lockdown.
Ho lokisa mathata ho bootloader, liphatlalatso li tla tlameha ho theha li-signature tse ncha tsa ka hare tsa dijithale le ho nchafatsa li-installer, li-bootloader, liphutheloana tsa kernel, fwupd firmware le shim layer. Pele ho kenyelletsoa SBAT, ho ntlafatsa lenane la ho hlakoloa ha setifikeiti (dbx, UEFI Revocation List) e ne e le ntho e hlokahalang bakeng sa ho thibela ka ho feletseng ho ba kotsing, kaha mohlaseli, ho sa tsotellehe mokhoa oa ho sebetsa o sebelisitsoeng, o ne a ka sebelisa mecha ea phatlalatso ea bootable ka phetolelo ea khale ea tlokotsing ea GRUB2, e netefalitsoeng ke signature ea dijithale, ho sekisetsa UEFI Secure Boot .
Sebakeng sa ho hlakola tekeno, SBAT e u lumella ho thibela tšebeliso ea eona bakeng sa linomoro tsa mofuta o le mong ntle le ho hlakola linotlolo tsa Secure Boot. Ho thibela bofokoli ka SBAT ha ho hloke tšebeliso ea lenane la ho hlakoloa ha setifikeiti sa UEFI (dbx), empa ho etsoa boemong ba ho fetola senotlolo sa ka hare ho hlahisa li-signature le ho ntlafatsa GRUB2, shim le lisebelisoa tse ling tsa boot tse fanoang ke kabo. Hajoale, tšehetso ea SBAT e se e kenyelitsoe ho li-distributions tse tsebahalang haholo tsa Linux.
Bofokoli bo bonts'itsoeng:
- CVE-2021-3696, CVE-2021-3695 ke li-buffer-based buffer overflows ha u sebetsana le litšoantšo tsa PNG tse entsoeng ka mokhoa o khethehileng, tseo ho thoeng li ka sebelisoa ho phethahatsa khoutu ea bahlaseli le ho feta UEFI Secure Boot. Hoa hlokomeloa hore bothata bo thata ho sebelisa hampe, kaha ho theha ts'ebetso e sebetsang ho hloka ho ela hloko lintlha tse ngata le ho fumaneha ha tlhahisoleseding mabapi le moralo oa mohopolo.
- CVE-2021-3697 - Buffer underflow ho khoutu ea ts'ebetso ea litšoantšo ea JPEG. Ho sebelisa taba hampe ho hloka tsebo ea moralo oa mohopolo 'me e batla e le boemong bo thata joaloka taba ea PNG (CVSS 7.5).
- CVE-2022-28733 - Phallo e felletseng ho grub_net_recv_ip4_packets() ts'ebetso e lumella rsm->total_len parameter hore e amehe ka ho romella pakete ea IP e entsoeng ka mokhoa o ikhethileng. Taba ena e tšoauoa e le eona e kotsi ka ho fetisisa ea bofokoli bo hlahisitsoeng (CVSS 8.1). Haeba e sebelisoa ka katleho, ho ba kotsing ho lumella data hore e ngoloe ka nqane ho moeli oa buffer ka ho fana ka boholo ba mohopolo o monyane ka boomo.
- CVE-2022-28734 - Single-byte buffer e phalla ha e ntse e sebetsana le lihlooho tsa HTTP tse hlobotsoeng. Taba e ka baka bobolu ba metadata ea GRUB2 (ho ngola null byte hang ka mor'a hore buffer e felisoe) ha ho etsoa likopo tse entsoeng ka ho khetheha tsa HTTP.
- CVE-2022-28735 Taba e teng ho shim_lock verifier e lumella ho kenya faele e seng kernel. Ho ba kotsing ho ka sebelisoa ho kenya li-module tsa kernel tse sa ngolisoang kapa khoutu e sa netefatsoang ho UEFI Secure Boot mode.
- CVE-2022-28736 Phihlello ea memori e seng e lokolotsoe ts'ebetsong ea grub_cmd_chainloader () ka ho pheta-pheta taelo ea chainloader, e sebelisetsoang ho qalisa lisebelisoa tse sa tšehetsoeng ke GRUB2. Tšebeliso e mpe e ka fella ka ho bolaoa ha khoutu ea mohlaseli haeba mohlaseli a khona ho tseba kabo ea memori ho GRUB2.
- CVE-2022-28737 - Buffer e phallang ka har'a shim layer e etsahala tšebetsong ea handle_image() ha o kenya le ho etsa litšoantšo tse entsoeng ka EFI.
Source: opennet.ru