Iziphene eziyi-8 zachongwa kwi-GRUB2 evumela ukwenziwa kwekhowudi engaqinisekiswanga

Darkcrizt

Imizuzu ye4

Mva nje Ulwazi malunga nokuba sesichengeni kwe-8 kwi-GRUB2 bootloader lakhutshwa, que ivumela ukugqitha indlela ye-UEFI ekhuselekileyo yokuqalisa kunye nokwenza ikhowudi engaqinisekiswangaUmzekelo, ukufaka i-malware ebaleka kwinqanaba le-bootloader okanye le-kernel.

Khumbula ukuba kuninzi lokusasazwa kweLinux, kwi-boot eqinisekisiweyo kwimo ye-boot ekhuselekileyo ye-UEFI, umaleko omncinci wembuyekezo oqinisekiswe ngumsayino wedijithali kaMicrosoft uyasetyenziswa.

Olu luhlu luqinisekisa i-GRUB2 ngokuchasene nesatifikethi sayo, ivumela abaphuhlisi ukuba bangaqinisekisi yonke i-kernel kunye nohlaziyo oluvela kwi-GRUB ukuya kwiMicrosoft.

Ngaloo nto Ukuba semngciphekweni kwiGRUB2 kukuvumela ukuba ufezekise ikhowudi yakho kwinqanaba lokuqinisekisa emva kokuqinisekiswa ulungiso olunempumelelo, kodwa ngaphambi kokuba umthwalo wenkqubo yokusebenza, ulungele ikhonkco lokuthembela xa iBoot ekhuselekileyo isebenza kwaye ifumana ulawulo olupheleleyo lwenkqubo elandelayo yokuqalisa, kubandakanya ukuqala inkqubo enye yokusebenza, ukuguqula inkqubo yenkqubo yokusebenza kunye nokudlula kwindawo yokukhusela .

Njengakwimeko yokuba semngciphekweni kweBootHole ukusukela kunyaka ophelileyo, Ukuhlaziya i-bootloader akwanelanga ukuthintela ingxakiNjengomhlaseli, nokuba yeyiphi na inkqubo esetyenziswayo, unokusebenzisa imithombo yeendaba yokuqalisa kunye nohlobo oludala olusemngciphekweni lweGRUB2, eqinisekiswe ngotyikityo lwedijithali, ukuze alalanise i-UEFI Safe Boot.

Ingxaki isonjululwe kuphela ngokuhlaziya uluhlu lwezatifikethi eziurhoxisiweyo (dbx, Uluhlu lokuSuswa kwe-UEFI), kodwa kule meko, amandla okusebenzisa imithombo yeendaba yakudala yokufaka kunye neLinux iya kulahleka.

Kwiinkqubo ezine-firmware apho uluhlu lwezatifikethi ezihlaziyiweyo luhlaziyiweyo, iiseti ezihlaziyiweyo zokusasazwa kweLinux zinokulayishwa kuphela kwimowudi ye-UEFI ekhuselekileyo yeBoot.

Ukuhanjiswa kuyakudinga ukuhlaziya ii-installers, i-bootloaders, iiphakheji ze-kernel, i-fwupd firmware, kunye nolwahlulo lwembuyekezo ngokubenzela iisiginitsha ezintsha zedijithali.

Abasebenzisi baya kudinga ukuhlaziya imifanekiso yokufaka kunye neminye imithombo yeendaba yokuqalisa kwaye ukhuphele uluhlu lokurhoxiswa kwesatifikethi (dbx) kwi-UEFI firmware. Kude kube uhlaziyo lwe-dbx kwi-UEFI, inkqubo ihlala isemngciphekweni ngaphandle kokufakwa kohlaziyo kwinkqubo yokusebenza.

Ukusombulula iingxaki ezithathiweyo yokuhanjiswa kwezatifikethi eziurhoxisiweyo, Kucetyelwe ukusebenzisa indlela ye-SBAT kwixa elizayo (UEFI Secure Boot Advanced Targeting), ngoku exhasa i-GRUB2, shim, kunye ne-fwupd, kwaye iya kuthatha indawo yokusebenza okubonelelwe yiphakheji ye-dbxtool kuhlaziyo lwexesha elizayo. I-SBAT ibikhona iphuhliswe ngokudibeneyo neMicrosoft yokongeza imethadatha entsha kwicandelo le-UEFI iifayile ezinokuphunyezwa, ezibandakanya umenzi, imveliso, icandelo kunye nolwazi lwenguqulo.

Kobuthathaka obuchongiweyo:

  1. I-CVE-2020-14372-Ngomyalelo we-acpi kwi-GRUB2, umsebenzisi onelungelo kwinkqubo yengingqi unokulayisha iitafile ze-ACPI eziguqulweyo ngokubeka i-SSDT (inkqubo yesibini yokuchaza itafile) kwi / boot / efi isikhombisi kunye nokutshintsha useto kwi-grub.cfg.
  2. I-CVE-2020-25632: ukufikelela kwindawo yememori esele ikhululiwe (sebenzisa-emva), ekuphunyezweni komyalelo we-rmmod, obonakaliswayo xa uzama ukukhuphela nayiphi na imodyuli ngaphandle kokuthathela ingqalelo ukuxhomekeka kwayo.
  3. I-CVE-2020-25647: Bhala ngaphandle kwemida ye-buffer kwi-grub_usb_device_initialize () umsebenzi obiziweyo xa usungula izixhobo ze-USB. Ingxaki inokuxhaphazwa ngokudibanisa isixhobo esenziwe ngokukodwa se-USB esenza iiparameter ezingahambelani nobungakanani besikhuseli esabelwe izakhiwo ze-USB.
  4. I-CVE-2020-27749: Ukugcwala kwempazamo kwi-grub_parser_split_cmdline () enokubangelwa kukuchaza izinto ezinkulu kune-1 KB kumgca wokuyalela we-GRUB2. Ukuba semngciphekweni kunokuvumela ukwenziwa kwekhowudi ngaphandle kokungena kwi-Boot ekhuselekileyo.
  5. I-CVE-2020-27779: Umyalelo we-cutmem uvumela umhlaseli ukuba asuse uluhlu lweedilesi kwimemori ukugqitha iBoot ekhuselekileyo.
  6. I-CVE-2021-3418: Utshintsho lwe-shim_lock lwenze i-vector eyongezelelweyo yokuxhaphaza ubungozi be-CVE-2020-15705 yonyaka ophelileyo. Ngokufaka isatifikethi esisetyenziselwa ukusayina i-GRUB2 kwi-dbx, i-GRUB2 ivumele nayiphi na ikernel ukuba ilayishe ngqo ngaphandle kokuqinisekisa utyikityo.
  7. I-CVE-2021-20225: ukukwazi ukubhala idatha ngaphandle kwesikhuseli xa usenza imiyalelo ngenani elikhulu lokukhetha.
  8. I-CVE-2021-20233: Amandla okubhala idatha ngaphandle kwesikhuseli ngenxa yokubala okungabalulekanga kobungakanani be-buffer xa usebenzisa iikowuti. Xa kubalwa ubungakanani, bekucingelwa ukuba oonobumba abathathu bayafuneka ukuze babaleke ikowuti enye, nangona ngokwenyani ithatha isine.

Umthombo: https://ubuntu.com


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.