ProHoster > Блог > izindaba ze-inthanethi > 2 ubungozi obutholakala ku-GRUB21 bootloader

2 ubungozi obutholakala ku-GRUB21 bootloader

Ulwazi mayelana nobuthakathaka obungu-21 ku-bootloader ye-GRUB2 selushicilelwe, iningi lalo elibangela ukugcwala kwe-buffer futhi lungasetshenziswa ukudlula indlela yokuqalisa eqinisekisiwe ye-UEFI Secure Boot. Lezi zinkinga kuze kube manje sezilungisiwe kuphela. Isimo sokulungiswa kobuthakathaka ekusabalalisweni singahlolwa kula makhasi: Debian, Ubuntu, SUSE, RHEL, Fedora. Ukulungisa izinkinga ze-GRUB2 kudinga okungaphezu nje kokubuyekeza iphakheji; kudinga futhi ukukhiqiza amasignesha amasha edijithali angaphakathi nokubuyekeza abafaki, ama-bootloader, amaphakheji e-kernel, i-firmware ye-fwupd, kanye ne-shim layer.

Ubungozi obuhlonziwe:

  • I-CVE-2024-45774: Bhala ngaphandle kwemingcele lapho uhlaziya izithombe ze-JPEG ezakhiwe.
  • I-CVE-2024-45776, CVE-2024-45777: Inani eliphelele liyachichima lapho kufundwa amafayela e-mo aklanywe ngokukhethekile, okuholela ekubhaleni okungaphandle kwemingcele.
  • I-CVE-2024-45778, CVE-2024-45779: Inani eliphelele liyachichima lapho usebenza nesistimu yefayela ye-BFS eyonakele, okuholela ekuchichimeni kwebhafa.
  • I-CVE-2024-45780: Ukuchichima okuphelele lapho uphatha izingobo zomlando zetiyela eziklanywe ngokukhethekile kuholela ekubhaleni okungaphandle kwemingcele.
  • I-CVE-2024-45781, CVE-2025-0677: I-Buffer iyachichima lapho isebenza nesistimu yefayela ye-UFS eyonakele.
  • I-CVE-2024-45782, CVE-2025-1125: Ibhafa iyachichima lapho kukhwezwa ukwahlukanisa kwe-HFS eyakhiwe ngokukhethekile.
  • I-CVE-2025-0622: Iphutha lokusebenzisa ngemva kwamahhala ngesikhathi sokukhohliswa kwemojuli lingase liholele ekwenziweni kwekhodi yomhlaseli.
  • I-CVE-2025-0624: Ukuchichima kwebhafa ebhuthini yenethiwekhi.
  • I-CVE-2025-0678: Ibhafa iyachichima lapho uphatha isistimu yefayela ye-Squash4 eyonakele.
  • I-CVE-2025-0684: Ibhafa iyachichima lapho ishintsha izixhumanisi ezingokomfanekiso kuma-Reiserfs.
  • I-CVE-2025-0685: Ibhafa iyachichima lapho ishintsha izixhumanisi ezingokomfanekiso ku-JFS.
  • I-CVE-2025-0685: Ibhafa iyachichima lapho ishintsha izixhumanisi ezingokomfanekiso ku-ROMFS.
  • I-CVE-2025-0689: Ibhafa iyachichima lapho uphatha isigaba se-UDF esilungiswe ngokukhethekile.
  • I-CVE-2025-0690: Ibhafa iyachichima lapho ithola idatha eklanywe ngokukhethekile kusuka kukhibhodi.
  • I-CVE-2025-1118: I-Lockdown Isolation Mode Bypass kanye ne-Arbitrary Memory Extraction nge-Dump Command.
  • I-CVE-2024-45775: Ukuntuleka kokuhlolwa kwekhodi yephutha lapho kwabiwa inkumbulo ngenkathi kudluliswa ama-agumenti adlulisiwe kungaholela ekonakaleni kwedatha ye-IVT (Interrupt Vector Table).
  • I-CVE-2024-45783: Ukufinyelela kwesikhombi esingu-NULL lapho ukhweza uhlelo lwefayela olungavumelekile lwe-HFS+.

Iningi LinuxUkusatshalaliswa kwe-boot eqinisekisiwe kumodi ye-UEFI Secure Boot kusebenzisa ungqimba oluncane lwe-shim, olusayinwe ngedijithali yi-Microsoft. Lolu ngqimba luqinisekisa i-GRUB2 ngesitifiketi salo, kususa isidingo sokuba abathuthukisi bokusabalalisa bazise i-Microsoft ngesibuyekezo ngasinye se-kernel kanye ne-GRUB. Ubungozi ku-GRUB2 buvumela ukwenziwa kwekhodi ngokungahleliwe ngemuva kokuqinisekiswa kwe-shim okuphumelelayo, kodwa ngaphambi kokuba uhlelo lokusebenza luqale. Lokhu kuvumela abahlaseli ukuthi bangene ochungechungeni lokwethembana lapho i-Secure Boot ivuliwe futhi bathole ukulawula okuphelele enkambisweni yokuqalisa elandelayo, isibonelo, ukuqalisa enye i-OS, ukuguqula izingxenye zesistimu yokusebenza, noma ukudlula ukuvikelwa kwe-Lockdown.

Ukuze kuvinjwe ubungozi ngaphandle kokususa isiginesha yedijithali, ukusatshalaliswa kungasebenzisa indlela ye-SBAT (UEFI Secure Boot Advanced Targeting), ukwesekwa okusetshenziswayo kwe-GRUB2, i-shim, kanye ne-fwupd ekusatshalalisweni okuthandwa kakhulu. LinuxI-SBAT yasungulwa ngokubambisana ne-Microsoft futhi ihilela ukwengeza imethadatha eyengeziwe kumafayela asebenzisekayo e-UEFI component, okuhlanganisa ulwazi mayelana nomkhiqizi, umkhiqizo, ingxenye, kanye nenguqulo. Le metadata isayiniwe ngedijithali futhi ingafakwa ngokuhlukile ohlwini lwezingxenye ezivunyelwe noma ezinqatshelwe ze-UEFI Secure Boot.

I-SBAT ikuvumela ukuthi uvimbe ukusetshenziswa kwesiginesha edijithali yezinombolo zenguqulo yengxenye ngayinye ngaphandle kokuthi uhoxise okhiye be-Secure Boot. Ukuvimbela ubungozi nge-SBAT akudingi ukusetshenziswa kohlu lokuhoxiswa kwesitifiketi se-UEFI (dbx), kodwa kwenziwa ezingeni lokushintsha ukhiye wangaphakathi ukuze kukhiqizwe amasiginesha nokubuyekeza i-GRUB2, i-shim namanye ama-artifact e-boot anikezwa ukusatshalaliswa. Ngaphambi kokwethulwa kwe-SBAT, ukubuyekeza uhlu lokuhoxiswa kwesitifiketi (dbx, Uhlu Lokuhoxiswa kwe-UEFI) kwakuyimfuneko yokuvimbela ngokuphelele ukuba sengozini, njengoba umhlaseli, kungakhathaliseki uhlelo lokusebenza olusetshenzisiwe, angasebenzisa imidiya ebhuthayo enenguqulo endala esengozini ye-GRUB2, kugunyazwe isiginesha yedijithali, ukufaka engozini i-UEFI Secure Boot .

Source: opennet.ru

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster