Ubungozi obungu-8 bukhonjwe ku-GRUB2 okuvumela ukwenziwa kwekhodi engaqinisekisiwe

Darkcrizt

Imizuzu ye-4

Muva nje Imininingwane ngobungozi obungu-8 ku-GRUB2 bootloader ikhishwe, ukuthi ivumela ukweqa indlela ye-UEFI evikelekile yokuqalisa futhi kube nokuqhutshwa kwekhodi engaqinisekisiweIsibonelo, ukufaka i-malware esebenza ezingeni le-bootloader noma le-kernel.

Khumbula ukuthi ekusatshalalisweni okuningi kweLinux, kwe-boot eqinisekisiwe kwimodi evikelekile ye-UEFI, kusetshenziswa ungqimba oluncane lwesinxephezelo oluqinisekiswe yisiginesha yedijithali yeMicrosoft.

Lesi sendlalelo siqinisekisa i-GRUB2 ngesitifiketi sayo, ivumela onjiniyela ukuthi bangaqinisekisi yonke i-kernel futhi bavuselele kusuka ku-GRUB kuye kwi-Microsoft.

Ngayo Ukuba sengozini ku-GRUB2 kukuvumela ukuthi uzuze ukwenziwa kwekhodi yakho esigabeni sokuqinisekisa ngemuva ukulungisa okuyimpumelelo, kepha ngaphambi kokulayishwa kwesistimu yokusebenza, ukungena ochungechungeni lwethemba lapho i-Secure Boot isebenza futhi ithola ukulawula okugcwele ngenqubo elandelayo yokuqalisa, kufaka phakathi ukuqala kabusha olunye uhlelo lokusebenza, ukuguqula uhlelo lwezinto zohlelo lokusebenza nokudlula ukukhiya kokuvikela .

Njengasendabeni yokuba sengozini kweBootHole kusukela ngonyaka odlule, ukuvuselela i-bootloader akwanele ukuvimba inkingaNjengomhlaseli, kungakhathalekile ukuthi uhlelo olusebenzayo lusetshenziswa kanjani, angasebenzisa imidiya yokuqalisa nge-GRUB2 yohlobo olusengozini, eqinisekiswe ngesiginesha yedijithali, ukuyekethisa i-UEFI Secure Boot.

Inkinga ixazululwa kuphela ngokubuyekeza uhlu lwezitifiketi ezibuyisiwe (dbx, Uhlu Lokuchithwa kwe-UEFI), kepha kulokhu, ikhono lokusebenzisa imidiya yokufaka yakudala ngeLinux lizolahleka.

Kumasistimu ane-firmware lapho uhlu lwezitifiketi ezibuyisiwe libuyekeziwe, amasethi abuyekeziwe wokusabalalisa kwe-Linux angalayishwa kuphela kumodi ye-UEFI Secure Boot.

Ukusatshalaliswa kuzodinga ukuvuselela abafaki, ama-bootloaders, amaphakheji we-kernel, i-fwupd firmware, kanye noqweqwe lwesinxephezelo ngokubenzela amasiginesha amasha edijithali.

Abasebenzisi bazodinga ukuvuselela izithombe zokufaka neminye imidiya yokuqalisa bese ulanda uhlu lokuchithwa kwesitifiketi (dbx) ku-UEFI firmware. Kuze kube ukuvuselelwa kwe-dbx ku-UEFI, uhlelo luhlala lusengozini ngaphandle kokufakwa kwezibuyekezo kuhlelo lokusebenza.

Ukuxazulula izinkinga ezitholakele wokusatshalaliswa kwezitifiketi ezihoxisiwe, kuhlelwe ukusebenzisa indlela ye-SBAT ngokuzayo (UEFI Secure Boot Advanced Targeting), manje esekela i-GRUB2, shim, ne-fwupd, futhi izothatha isikhundla sokusebenza okuhlinzekwe yiphakheji ye-dbxtool kuzibuyekezo ezizayo. I-SBAT ibikhona ithuthukiswe ngokubambisana neMicrosoft ukufaka imethadatha entsha kumafayili asebenzayo we-UEFI, okubandakanya imininingwane yomkhiqizi, umkhiqizo, ingxenye, kanye nohlobo.

Kokuba sengozini okukhonjiwe:

  1. I-CVE-2020-14372- Ngomyalo we-acpi ku-GRUB2, umsebenzisi onelungelo ohlelweni lwendawo angalayisha amatafula e-ACPI aguquliwe ngokubeka i-SSDT (ithebula elichaza uhlelo lwesibili) kumkhombandlela we-boot / efi futhi eshintsha izilungiselelo ku-grub.cfg.
  2. I-CVE-2020-25632: ukufinyelela endaweni yememori esivele ikhululiwe (use-after-free) ekusetshenzisweni komyalo we-rmmod, obonakala lapho uzama ukulanda noma iyiphi imodyuli ngaphandle kokubheka ukuncika kwayo okuhambisanayo.
  3. I-CVE-2020-25647: Bhala ngaphandle kwemikhawulo yebhafa ekusebenzeni kwe- grub_usb_device_initialize () okubizwa lapho kuqalwa amadivayisi e-USB. Inkinga ingaxhashazwa ngokuxhuma idivayisi ye-USB elungiselelwe ngokukhethekile ekhiqiza amapharamitha angahambelani nosayizi wesiphenduli esabelwe izakhiwo ze-USB.
  4. I-CVE-2020-27749: ukugcwala kwebhafa ku-grub_parser_split_cmdline () okungabangelwa ukucacisa okuguqukayo okukhudlwana kune-1 KB kulayini womyalo we-GRUB2. Ukuba sengozini kungavumela ukwenziwa kwekhodi ngaphandle kokudlula ku-Secure Boot.
  5. I-CVE-2020-27779: Umyalo we-cutmem uvumela umhlaseli ukuthi asuse uhla lwamakheli kusuka kwimemori ukuze adlule i-Safe Secure.
  6. I-CVE-2021-3418: Izinguquko ku-shim_lock zidale i-vector eyengeziwe yokuxhaphaza ukuba sengozini kwe-CVE-2020-15705 ngonyaka odlule. Ngokufaka isitifiketi esisetshenziselwa ukusayina i-GRUB2 ku-dbx, i-GRUB2 ivumele noma iyiphi i-kernel ukuthi ilayishe ngqo ngaphandle kokuqinisekisa isiginesha.
  7. I-CVE-2021-20225: amandla okubhala idatha ngaphandle kwe-buffer lapho wenza imiyalo ngenombolo enkulu yezinketho.
  8. I-CVE-2021-20233: Amandla okubhala idatha ngaphandle kwe-buffer ngenxa yokubalwa kosayizi we-buffer ongalungile lapho usebenzisa izingcaphuno. Lapho kubalwa usayizi, bekucatshangwa ukuthi kuthatha izinhlamvu ezintathu ukuphunyuka kwisilinganiso esisodwa, yize empeleni kuthatha ezine.

Umthombo: https://ubuntu.com


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.