A long list of GRUB2 secure-boot holes

栏目: IT技术 · 发布时间: 4年前

Several vulnerabilities have been disclosed in the GRUB2 bootloader; they enable the circumvention of the UEFI secure boot mechanism and the persistent installation of hostile software. Fixing the problem is not just a matter of getting a new GRUB2 installation, unfortunately. " It is important to note that updating the exploitable binaries does not in fact mitigate the CVE, since an attacker could bring an old, exploitable, signed copy of a grub binary onto a system with whatever kernel they wished to load. In order to mitigate, the UEFI Revocation List (dbx) must be updated on a system. Once the UEFI Revocation List is updated on a system, it will no longer boot binaries that pre-date these fixes. This includes old install media. "
From : John Haxby <john.haxby-AT-oracle.com>
To : oss-security-AT-lists.openwall.com
Subject : [oss-security] multiple secure boot grub2 and linux kernel vulnerabilities
Date : Wed, 29 Jul 2020 17:57:44 +0100
Message-ID : <29B1C52A-3781-4893-BBB3-9345E98B83DC@oracle.com>
Archive-link : Article
[This message expands slightly on the post to the distros list on 2020-07-20.]

Hello All,

There are several CVEs both in GRUB2 and the Linux kernel (details
below) that compromise UEFI Secure boot and kernel lockdown.

 * These bugs allow unsigned code to be booted and run on hardware
   configured to prevent that.

 * Affected vendors will be publishing fixed, re-signed shim, grub and
   kernels to allow systems to continue to boot post-mitigation.
   Details of exactly what is published will vary from vendor to
   vendor.

 * The actual mitigation is a UEFI Revocation List update that
   prevents exploitable binaries from loading. This list will be
   available from: <a href="https://uefi.org/revocationlistfile">https://uefi.org/revocationlistfile</a> soon.  Vendors
   may also include this in an updated release of a dbxtool package.

 * In addition to the Microsoft Key Encryption Key (KEK)-signed UEFI
   Revocation List updates, hardware vendors may also issue their own
   updates signed with their own KEKs.  Again, this will vary from
   vendor to vendor.

Exploiting these flaws require a significant level of access to a
system. The flaws would allow, for example, a nefarious kernel to hide
a rootkit or similar to be loaded onto a system that has UEFI Secure
Boot enabled. It is important to note that updating the exploitable
binaries does not in fact mitigate the CVE, since an attacker could
bring an old, exploitable, signed copy of a grub binary onto a system
with whatever kernel they wished to load. In order to mitigate, the
UEFI Revocation List (dbx) must be updated on a system. Once the UEFI
Revocation List is updated on a system, it will no longer boot
binaries that pre-date these fixes. This includes old install media.

Fully mitigating a system against these flaws should be done with the
clear understanding that old kernels and old install media will not
boot on a secure-boot system.

CVE details:

There are two kernel CVEs that are already public: CVE-2019-20908 and
CVE-2020-15780.  In addition there are the following GRUB2 CVEs:

CVE-2020-10713
    8.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    This is the original flaw discovered by Eclypsium, also known as
    "BootHole" and is describe in Eclypsium's paper at
    <a href="https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/">https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the...</a>

CVE-2020-14308
    6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
    grub2: grub_malloc does not validate allocation size allowing for
    arithmetic overflow and subsequent heap-based buffer overflow.

CVE-2020-14309
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
    grub2: Integer overflow in grub_squash_read_symlink may lead to
    heap based overflow.

CVE-2020-14310
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
    grub2: Integer overflow read_section_from_string may lead to heap
    based overflow.

CVE-2020-14311
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
    grub2: Integer overflow in grub_ext2_read_link leads to heap based
    buffer overflow.

CVE-2020-15705
    grub: avoid loading unsigned kernels when grub is booted directly
    under secureboot without shim
    6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-15706
    script: Avoid a use-after-free when redefining a function during
    execution
    6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-15707
    grub2: Integer overflow in initrd size handling.
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

jch
(Log in to post comments)

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

网络营销

网络营销

拉菲·默罕默德 / 王刊良 / 中国财政经济出版社 / 2004-10 / 65.00元

本书提供了一个将网络营销与传统营销进行整合的分析和设计框架,称之为“市场空间矩阵”,该框架贯穿本书。利用该框架可以对网络营销战略、营销手段等进行系统的分析、设计和评价。 本书还有一条脉络,即客户关系的四个阶段,这一线索是市场空间矩阵的一个维度。在客户关系的框架下对营销手段(产品、价格、渠道、促销、社区、传播、品牌)进行分析和设计,旨在将客户从认知阶段经过探索/扩展阶段快速推进到承诺阶段。 ......一起来看看 《网络营销》 这本书的介绍吧!

HTML 压缩/解压工具
HTML 压缩/解压工具

在线压缩/解压 HTML 代码

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具