Recently Information on 8 vulnerabilities in the GRUB2 bootloader was released The Center allows bypassing the UEFI secure boot mechanism and having unverified code run, for example, to inject malware that runs at the bootloader or kernel level.
Remember that in most Linux distributions, for verified boot in UEFI secure boot mode, a small compensation layer certified by a Microsoft digital signature is used.
This layer verifies GRUB2 against its own certificate, allowing developers to not certify every kernel and update from GRUB to Microsoft.
With that vulnerabilities in GRUB2 allow your code to be executed in the post-verification stage successful remediation, but before the operating system loads, fitting into the chain of trust when Secure Boot is active and gaining full control over the subsequent boot process, including booting another operating system, modify the component system of the operating system and bypass the protection lock.
As in the case of the BootHole vulnerability from last year, updating the bootloader is not enough to block the problemAs an attacker, regardless of the operating system used, can use boot media with an old vulnerable version of GRUB2, certified with digital signature, to compromise UEFI Secure Boot.
The problem is solved only by updating the list of revoked certificates (dbx, UEFI Revocation List), but in this case, the ability to use old installation media with Linux will be lost.
On systems with firmware where the list of revoked certificates has been updated, updated sets of Linux distributions can only be loaded in UEFI Secure Boot mode.
Distributions will need to update installers, bootloaders, kernel packages, fwupd firmware, and the compensation layer by generating new digital signatures for them.
Users will need to update installation images and other boot media and download the certificate revocation list (dbx) in the UEFI firmware. Until the dbx update in UEFI, the system remains vulnerable regardless of the installation of updates in the operating system.
To solve the derived problems of the distribution of revoked certificates, it is planned to use the SBAT mechanism in the future (UEFI Secure Boot Advanced Targeting), which now supports GRUB2, shim, and fwupd, and will replace the functionality provided by the dbxtool package in future updates. SBAT was developed in conjunction with Microsoft to add new metadata to UEFI component executable files, which include manufacturer, product, component, and version information.
Of the identified vulnerabilities:
- CVE-2020-14372- With the acpi command on GRUB2, the privileged user on the local system can load modified ACPI tables by placing an SSDT (secondary system description table) in the / boot / efi directory and changing the settings in grub.cfg.
- CVE-2020-25632: access to a memory area already freed (use-after-free) in the implementation of the rmmod command, which is manifested when trying to download any module without taking into account its associated dependencies.
- CVE-2020-25647: Write out of buffer limits in grub_usb_device_initialize () function called when initializing USB devices. The problem can be exploited by connecting a specially prepared USB device that generates parameters that do not match the size of the buffer allocated for USB structures.
- CVE-2020-27749: buffer overflow in grub_parser_split_cmdline () which can be caused by specifying variables larger than 1 KB on the GRUB2 command line. The vulnerability could allow code execution without going through Secure Boot.
- CVE-2020-27779: The cutmem command allows an attacker to remove a range of addresses from memory to bypass Secure Boot.
- CVE-2021-3418: shim_lock changes created an additional vector to exploit last year's CVE-2020-15705 vulnerability. By installing the certificate used to sign GRUB2 in dbx, GRUB2 allowed any kernel to load directly without verifying the signature.
- CVE-2021-20225: the ability to write data out of the buffer when executing commands with a large number of options.
- CVE-2021-20233: Ability to write data out of the buffer due to incorrect calculation of the buffer size when using quotes. When calculating the size, it was assumed that three characters are needed to escape a single quote, although in reality it takes four.