Recently news was released that 7 vulnerabilities have been fixed in the boot loader GRUB2 that allow the UEFI Secure Boot mechanism to be bypassed and allow unverified code execution, for example by injecting malware that works at the bootloader or kernel level.
In addition, there is a vulnerability in the shim layer, which also allows UEFI Secure Boot to be bypassed. The group of vulnerabilities was codenamed Boothole 3, similar to similar issues previously identified in the bootloader.
The specified metadata is digitally signed and can be included separately in the lists of allowed or prohibited components for UEFI Secure Boot.
Most Linux distributions use a small patch layer, digitally signed by Microsoft, for verified boot in UEFI Secure Boot mode. This layer verifies GRUB2 with its own certificate, which allows distribution developers to not certify every kernel and GRUB update with Microsoft.
Vulnerabilities in GRUB2 allow for post-verification code execution successful shim, but before loading the operating system, enter the chain of trust with secure boot mode active and gain full control over the subsequent boot process including booting another operating system, modifying system components of the operating system and bypass lock protection.
Instead of revoking the signature, SBAT allows blocking its use for individual component version numbers no need to revoke keys for Secure Boot. Blocking vulnerabilities via SBAT does not require the use of a UEFI CRL (dbx), but is done at the internal key replacement level to generate signatures and update GRUB2, shim, and other distribution-supplied boot artifacts. SBAT support has now been added to most popular Linux distributions.
Our identified vulnerabilities are as follows:
- CVE-2021-3696, CVE-2021-3695- Heap buffer overflows when processing specially crafted PNG images, which could in theory be used to stage attack code execution and bypass UEFI Secure Boot. It is noted that the problem is difficult to exploit, as creating a working exploit requires taking into account a large number of factors and the availability of memory layout information.
- CVE-2021-3697: buffer underflow in JPEG image processing code. Exploiting the problem requires knowledge of memory layout and is about the same level of complexity as the PNG problem (CVSS 7.5).
- CVE-2022-28733: An integer overflow in the grub_net_recv_ip4_packets() function that allows you to influence the rsm->total_len parameter by sending a specially crafted IP packet. The issue is marked as the most dangerous of the submitted vulnerabilities (CVSS 8.1). If successfully exploited, the vulnerability allows data to be written outside the buffer boundary by deliberately allocating a smaller memory size.
- CVE-2022-28734: Single byte buffer overflow when processing split HTTP headers. The issue can cause GRUB2 metadata to become corrupted (write a null byte just after the end of the buffer) when parsing specially crafted HTTP requests.
- CVE-2022-28735: a problem in the shim_lock checker that allows non-kernel files to be loaded. The vulnerability could be exploited to boot unsigned kernel modules or unverified code in UEFI Secure Boot mode.
- CVE-2022-28736: Access to an area of memory already freed in the grub_cmd_chainloader() function by re-executing the chainloader command that is used to load operating systems not supported by GRUB2. The exploitation can lead to the execution of the attacker's code if the attacker can determine the details of the memory allocation in GRUB2.
- CVE-2022-28737: Fix layer buffer overflow in handle_image() function when loading and running custom EFI images.
To troubleshoot GRUB2 and shim, distributions will be able to use the SBAT mechanism (Usefi Secure Boot Advanced Targeting), which is compatible with GRUB2, shim, and fwupd. SBAT was developed in collaboration with Microsoft and involves adding additional metadata to UEFI component executable files, including manufacturer, product, component, and version information.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.