Do you use Grub2? you should update now, as they found about 8 vulnerabilities

Darkcrizt

4 minutes

Vulnerability

If you are using Grub2 as your bootloader on your computer let me tell you that you should update it nowwell recently 8 vulnerabilities were disclosed in this GRUB2 bootloader of which one of them is marked as critical.

The most dangerous of them is the one that is cataloged with the code name boothole (CVE-2020 to 10713). This vulnerability detected makes it possible to bypass the UEFI Secure boot mechanism and install malicious software without verification.

The peculiarity of this vulnerability is that, To fix it, it is not enough to update GRUB2 as an attacker can use bootable media with a vulnerable version previous certified by a digital signature. An attacker can compromise the verification process not only for Linux, but also for other operating systems, including Windows.

And the problem is that most Linux distributions use a small layer of shim for verified boot, which is digitally signed by Microsoft.

This layer verifies GRUB2 with its own certificate, allowing distribution developers to not certify every GRUB kernel and update to Microsoft.

The vulnerability allows, when changing the content of grub.cfg, achieve the execution of your code in the stage after the successful verification of shim, but before the operating system loads, fitting into the chain of trust when Secure Boot is active and gaining control Total about the additional boot process, including booting another operating system, modifying operating system components, and bypassing crash protection.

The vulnerability is caused by a buffer overflow which can be exploited to execute arbitrary code during the download process. The vulnerability manifests itself when analyzing the content of the grub.cfg configuration file, which is usually located on an ESP (EFI System Partition) partition and can be edited by an attacker with administrator rights, without violating the integrity of the signed shim and GRUB2 executables.

By mistake in the configuration parser code, the fatal parsing error handler YY_FATAL_ERROR only showed a warning, but did not end the program. The danger of vulnerability is reduced by the need for privileged access to the system; however, the problem may be necessary for the implementation of hidden rootkits in the presence of physical access to the machine (if it is possible to boot from its media).

Of the other vulnerabilities that were found:

  • CVE-2020-14308: Buffer overflow due to the size of the allocated memory area not being verified in grub_malloc.
  • CVE-2020-14309: integer overflow in grub_squash_read_symlink, which can cause data to be written outside of the allocated buffer.
  • CVE-2020-14310: integer overflow in read_section_from_string, which can cause data to be written outside of the allocated buffer.
  • CVE-2020-14311: integer overflow in grub_ext2_read_link, which can cause data to be written outside of the allocated buffer.
  • CVE-2020-15705: enables direct booting of unsigned kernels in secure boot mode without an interleaved interlayer.
  • CVE-2020-15706: access to a memory area already freed (use-after-free) when aborting a function at runtime.
  • CVE-2020-15707: integer overflow in initrd size handler.

Solutions

Although all is not lost, since, to solve this problem, only update the list of revoked certificates (dbx, UEFI Revocation List) on the system, but in this case, the ability to use old installation media with Linux will be lost.

Some hardware manufacturers have already included an updated list of revoked certificates in your firmware; On such systems, in UEFI Secure Boot mode, only up-to-date builds of Linux distributions can be loaded.

To fix the vulnerability in the distributions, installers, bootloaders, kernel packages, fwupd firmware and compatibility layer will also need to be updated, generating new digital signatures for them.

Users will need to update installation images and other boot media, and download the Certificate Revocation List (dbx) in the UEFI firmware. Until the dbx update in UEFI, the system remains vulnerable regardless of the installation of updates in the operating system.

Finally it is reported that patch pack updates have been released for Debian, Ubuntu, RHEL and SUSE, as well as for GRUB2 a set of patches have been released.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Fernando said
    ago 4 years

    It would be good to clarify if these vulnerabilities can be exploited locally or remotely, that changes the dimension of the problem.

    Reply to Fernando
  2.   Mario said
    ago 4 years

    It would be more useful to know how these things are solved. because in my particular case I have no idea even where to start
    A day or two ago I noticed that I got a GRUB2 update, I don't know if it was the patch, it was just an update ... anyway ...
    They talk about updating firmware, digital certificates, downloading the Certificate Revocation List (dbx) in the UEFI firmware, where or how is this done ...
    That is, as information it is good, but for a newbie it is as if they speak in Mandarin Chinese.
    It is a constructive criticism.

    Reply to Mario
  3.   rhinestones said
    ago 4 years

    Good Clickbait:

    The vulnerability is a buffer overflow related to how GRUB2 parses its grub.cfg configuration file. An attacker with admin privileges on the targeted system can modify this file so that their malicious code is executed in the UEFI environment before the OS is loaded.

    Stop scaring people

    Reply to pedrete