2 ubungozi bulungisiwe ku-bootloader ye-GRUB7 ekuvumela ukuthi udlule indlela ye-UEFI Secure Boot futhi usebenzise ikhodi engaqinisekisiwe, isibonelo, sebenzisa uhlelo olungayilungele ikhompuyutha olusebenza ezingeni le-bootloader noma le-kernel. Ukwengeza, kukhona ubungozi obubodwa kungqimba lwe-shim, olukuvumela futhi ukuthi udlule i-UEFI Secure Boot. Iqembu labasengozini laqanjwa ngekhodi elithi Boothole 3, elifana nezinkinga ezifanayo ezikhonjwe ngaphambilini ku-bootloader.
Ukuxazulula izinkinga ku-GRUB2 naku-shim, ukusabalalisa kuzokwazi ukusebenzisa indlela ye-SBAT (UEFI Secure Boot Advanced Targeting), esekelwe ku-GRUB2, shim kanye fwupd. I-SBAT yathuthukiswa ngokuhlanganyela ne-Microsoft futhi ihilela ukwengeza imethadatha eyengeziwe kumafayela asebenzisekayo ezingxenye ze-UEFI, okuhlanganisa ulwazi mayelana nomkhiqizi, umkhiqizo, ingxenye kanye nenguqulo. Imethadatha eshiwo iqinisekiswa ngesiginesha yedijithali futhi ingafakwa ngokuhlukile ohlwini lwezingxenye ezivunyelwe noma ezivinjelwe ze-UEFI Secure Boot.
Ukusabalalisa okuningi kwe-Linux kusebenzisa ungqimba oluncane lwe-shim olusayinwe ngedijithali yi-Microsoft ukuze kuqaliswe ukuqinisekiswa kumodi ye-UEFI Secure Boot. Lesi sendlalelo siqinisekisa i-GRUB2 ngesitifiketi sayo, esivumela abathuthukisi bokusabalalisa ukuthi bangabi nayo yonke i-kernel nesibuyekezo se-GRUB esigunyazwe yi-Microsoft. Ubungozi ku-GRUB2 bukuvumela ukuthi ufeze ukusetshenziswa kwekhodi yakho esiteji ngemva kokuqinisekiswa okuyimpumelelo kwe-shim, kodwa ngaphambi kokulayisha isistimu yokusebenza, ukungena ochungechungeni lokwethembana lapho Imodi Yokuqalisa Okuvikelekile isebenza futhi uthola ukulawula okugcwele phezu kwenqubo yokuqalisa eyengeziwe, okuhlanganisa. ukulayisha enye i-OS, ukulungisa isistimu yezingxenye zesistimu yokusebenza nokudlula ukuvikela kwe-Lockdown.
Ukuze ulungise izinkinga kusilayishi se-boot, ukusabalalisa kuyodingeka ukuthi kwakhe amasiginesha edijithali amasha angaphakathi futhi kubuyekeze izifaki, izilayishi, amaphakheji e-kernel, i-fwupd firmware kanye nongqimba lwe-shim. Ngaphambi kokwethulwa kwe-SBAT, ukubuyekeza uhlu lokuhoxiswa kwesitifiketi (dbx, Uhlu Lokuhoxiswa kwe-UEFI) kwakuyimfuneko yokuvimbela ngokuphelele ukuba sengozini, njengoba umhlaseli, kungakhathaliseki uhlelo lokusebenza olusetshenzisiwe, angasebenzisa imidiya ebhuthayo enenguqulo endala esengozini ye-GRUB2, kugunyazwe isiginesha yedijithali, ukufaka engozini i-UEFI Secure Boot .
Esikhundleni sokuhoxisa isiginesha, i-SBAT ikuvumela ukuthi uvimbele ukusetshenziswa kwayo ezinambeni zenguqulo ngayinye ngaphandle kokuthi uhoxise okhiye be-Secure Boot. Ukuvimbela ubungozi nge-SBAT akudingi ukusetshenziswa kohlu lokuhoxiswa kwesitifiketi se-UEFI (dbx), kodwa kwenziwa ezingeni lokushintsha ukhiye wangaphakathi ukuze kukhiqizwe amasiginesha nokubuyekeza i-GRUB2, i-shim namanye ama-artifact e-boot anikezwa ukusatshalaliswa. Njengamanje, ukwesekwa kwe-SBAT sekungeziwe ekusabalazweni kwe-Linux okudume kakhulu.
Ubungozi obuhlonziwe:
- I-CVE-2021-3696, i-CVE-2021-3695 iwukuchichima kwebhafa okususelwa kunqwaba lapho kucutshungulwa izithombe eziklanywe ngokukhethekile ze-PNG, ezingasetshenziswa ngokusobala ukuze kufakwe ikhodi yomhlaseli futhi kudlule i-UEFI Secure Boot. Kuyaphawuleka ukuthi inkinga inzima ukuxhaphaza, ngoba ukudala ukuxhaphaza okusebenzayo kudinga ukucabangela inani elikhulu lezici kanye nokutholakala kolwazi mayelana nokuhlelwa kwememori.
- I-CVE-2021-3697 - Ibhafa igeleza ngaphansi kukhodi yokucubungula isithombe ye-JPEG. Ukuxhaphaza udaba kudinga ulwazi lwesakhiwo sememori futhi kusezingeni elicishe libe yinkimbinkimbi njengodaba lwe-PNG (CVSS 7.5).
- I-CVE-2022-28733 - Inani eliphelele elichichimayo kumsebenzi we-grub_net_recv_ip4_packets() livumela ipharamitha ethi rsm->total_len ukuthi ithikamezeke ngokuthumela iphakethe le-IP eliklanywe ngokukhethekile. Indaba imakwe njengokuyingozi kakhulu kobungozi obethulwa (CVSS 8.1). Uma busetshenziswe ngempumelelo, ukuba sengozini kuvumela idatha ukuthi ibhalwe ngale komngcele webhafa ngokunikeza usayizi wenkumbulo omncane ngamabomu.
- I-CVE-2022-28734 - Ukuchichima kwebhayithi yebhayithi eyodwa lapho kucutshungulwa izihloko ze-HTTP ezihlutshiwe. Inkinga ingabangela ukonakala kwemethadatha ye-GRUB2 (ukubhala i-null byte ngemva nje kokuphela kwebhafa) lapho kudluliswa izicelo ze-HTTP eziklanywe ngokukhethekile.
- I-CVE-2022-28735 Inkinga kusiqinisekisi se-shim_lock ivumela ukulayishwa kwefayela okungeyona i-kernel. Ukuba sengozini kungasetshenziswa ukulayisha amamojula e-kernel engasayiniwe noma ikhodi engaqinisekisiwe kumodi ye-UEFI Secure Boot.
- I-CVE-2022-28736 Ukufinyelela kwenkumbulo okuvele kukhululiwe kumsebenzi we-grub_cmd_chainloader() ngokuphinda kusetshenziswe umyalo we-chainloader, osetshenziselwa ukuqalisa izinhlelo zokusebenza ezingasekelwe yi-GRUB2. Ukuxhashazwa kungaholela ekubulaweni kwekhodi yomhlaseli uma umhlaseli ekwazi ukunquma ukwabiwa kwememori ku-GRUB2
- I-CVE-2022-28737 - Ukuchichima kwebhafa kungqimba lwe-shim kwenzeka ku-handle_image() umsebenzi lapho kulayishwa futhi kusetshenziswa izithombe ze-EFI ezakhiwe.
Source: opennet.ru