GRUB2 Boot Loader Reveals Multiple High Severity Vulnerabilities
GRUB, a popular boot loader used by Unix-based operating systems has fixed multiple high severity vulnerabilities.
In 2020, BleepingComputer had reported on the BootHole vulnerability in GRUB2 that could have let attackers compromise an operating system’s booting process even if the Secure Boot verification mechanism was active.
Threat actors could further abuse the flaw to hide arbitrary code (“bootkit”) within the OS that would run on every boot.
Particularly, flaws like these in boot loaders allow circumvention of UEFI Secure Boot, a verification mechanism for ensuring that code executed by a computer’s UEFI firmware is trusted and not malicious.
117 patches issued for high severity GRUB2 vulnerabilities
This week GRUB project maintainers have released hundreds of upstream patches for the severe boot loader flaws listed below.
“The BootHole vulnerability announced last year encouraged many people to take a closer look at the security of boot process in general and the GRUB bootloader in particular.”
Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service
“Due to that, during past few months we were getting reports of, and also discovering various security flaws in the GRUB ourselves,” said Oracle software developer and GRUB maintainer Daniel Kiper.
Referring to the list of vulnerabilities and CVEs that were remedied, Kiper stated the patch bundle fixing all the bugs comprises 117 patches.
The list of GRUB2 vulnerabilities is as follows:
| CVE | CVSS 3.1 Severity | Type | Description | Reported by |
|---|---|---|---|---|
| CVE-2020-14372 | High (7.5) | Incomplete List of Disallowed Inputs | The acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled. | Máté Kukri |
| CVE-2020-25632 | High (7.5) | Use-after-free | The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload a module used as dependency without checking if any other dependent module is still loaded. | Chris Coulson (Canonical) |
| CVE-2020-25647 | Medium (6.9) | Out-of-bound write | grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption or lead to arbitrary code execution. | Joseph Tartaro (IOActive), Ilja van Sprundel (IOActive) |
| CVE-2020-27749 | High (7.5) | Stack buffer overflow | grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. An attacker can exploit the flaw to circumvent Secure Boot protections. | Chris Coulson (Canonical) |
| CVE-2020-27779 | High (7.5) | Improper Authorization | The cutmem command allows privileged user to remove memory regions when Secure Boot is enabled | Teddy Reed |
| CVE-2021-3418 | Medium (6.4) | Improper Preservation of Permissions | GRUB 2.05 reintroduced CVE-2020-15705. This refers to a distro a specific flaw which made upstream in the mentioned version. | Dimitri John Ledkov (Canonical) |
| CVE-2021-20225 | High (7.5) | Heap out-of-bounds write | The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. | Daniel Axtens (IBM) |
| CVE-2021-20233 | High (7.5) | Heap out-of-bound write | There’s a flaw on GRUB2 menu rendering code setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. | Daniel Axtens (IBM) |
Vendors yet to release full mitigation details
Kiper described the improvements made to resolve these flaws in GRUB’s mailing list.
Although 117 upstream code patches have been issued to resolve these CVEs, detailed instructions with regards to mitigation and obtaining updates would be provided by OS vendors.
“Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available.”
Advisories have also been published by Canonical (Ubuntu), Debian, RedHat, and Suse detailing remediation steps.
“It is important to know that shim and SBAT development is still ongoing.”
“Full mitigation against all the CVEs will require an updated UEFI revocation list (dbx) which, in at least some cases, will not allow Secure Boot with today’s boot artifacts,” continued Kiper.
Not all vendors may have shipped updates for the flaws just yet and more details are to follow once the coordinated disclosure process is complete.
Microsoft is expected to release an updated UEFI revocation file as a mitigation for the vulnerabilities.
Given the seriousness of BootHole vulnerability in GRUB, high severity vulnerabilities like the ones mentioned above should be patched as soon as possible.
Also Read: How To Prevent WhatsApp Hack: 7 Best Practices
Users are encouraged to keep an eye out for and apply vendor updates as soon as they become available.
0 Comments