[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 2 Mar 2021 18:13:44 +0000
From: John Haxby <john.haxby@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Multiple GRUB2 vulnerabilities
On 2021-02-23 we notified the distros list about multiple grub vulnerabilities. This is the formal announcement sent to grub-devel which explains in a little more detail what has been done.
jch
> Begin forwarded message:
>
> From: Daniel Kiper <daniel.kiper@...cle.com>
> Subject: [SECURITY PATCH 000/117] Multiple GRUB2 vulnerabilities - 2021/03/02 round
> Date: 2 March 2021 at 18:00:56 GMT
> To: grub-devel@....org
> [snip]
> Hi all,
>
> The BootHole vulnerability [1][2] announced last year encouraged many people to
> take a closer look at the security of boot process in general and the GRUB
> bootloader in particular. Due to that, during past few months we were getting
> reports of, and also discovering various security flaws in the GRUB ourselves.
> You can find the list of most severe ones which got CVEs assigned at the end of
> this message. The patch bundle fixing all these issues in the upstream GRUB
> contains 117 patches.
>
> In addition, we have been working on a generation number based revocation
> scheme termed UEFI Secure Boot Advanced Targeting (SBAT) [3]. This will require
> an UEFI dbx release and resigning all the artifacts -- shim, GRUB, kernel,
> etc. -- needed to boot the system. This is the same as we did for the BootHole
> series of vulnerabilities, but the SBAT work is designed to make this process
> much less painful in the future.
>
> Details of exactly what needs updating will be provided by the respective
> distros and vendors when updates become available. Here [4] we are listing at
> least some links to the messaging known at the time of this posting.
>
> It is important to know that shim and SBAT development is still ongoing.
>
> Full mitigation against all the CVEs will require an updated UEFI revocation
> list (dbx) which, in at least some cases, will not allow Secure Boot with
> today's boot artifacts. Vendor shims may explicitly permit known older boot
> artifacts to boot. At some stage, the dbx on new hardware will be updated.
>
> Updated GRUB2, shim and other boot artifacts from all the affected vendors will
> be made available when the embargo lifts or some time thereafter. An updated
> dbx from the various affected vendors will also ship, although possibly not at
> the same time. The new Microsoft dbx will be provided for download here [5].
>
> I am posting all the GRUB2 upstream patches which fixes all security bugs found
> and reported up until now. Major Linux distros carry or will carry soon one
> form or another of these patches. Now all the GRUB2 upstream patches are in
> the GRUB2 git repository [6] too.
>
[snip]
>
> Daniel
>
> [1] https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
>
> [2] https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
>
> [3] https://github.com/rhboot/shim/blob/main/SBAT.md
>
> [4] Canonical: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
> Debian: https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot
> Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2021-003
> SUSE: https://www.suse.com/support/kb/doc/?id=000019892
>
> [5] https://uefi.org/revocationlistfile
>
> [6] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
> https://git.savannah.gnu.org/git/grub.git
>
> *******************************************************************************
>
> CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
> ACPI tables when Secure Boot is enabled
> CWE-184
> 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
> the firmware. An attacker with local root privileges to can drop a small SSDT
> in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
> then gets run by the kernel and it overwrites the kernel lock down configuration
> enabling the attacker to load unsigned kernel modules and kexec unsigned code.
>
> Reported-by: Máté Kukri
>
> *******************************************************************************
>
> CVE-2020-25632 grub2: Use-after-free in rmmod command
> CWE-416
> 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
> a module used as dependency without checking if any other dependent module is
> still loaded. This leads to an use-after-free scenario possibly allowing an
> attacker to execute arbitrary code and by-pass Secure Boot protections.
>
> Reported-by: Chris Coulson (Canonical)
>
> *******************************************************************************
>
> CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
> CWE-787
> 6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> grub_usb_device_initialize() is called to handle USB device initialization. It
> reads out the descriptors it needs from the USB device and uses that data to
> fill in some USB data structures. grub_usb_device_initialize() performs very
> little bounds checking and simply assumes the USB device provides sane values.
> This behavior can trigger memory corruption. If properly exploited, this would
> lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
> mechanism.
>
> Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)
>
> *******************************************************************************
>
> CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
> CWE-121
> 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> grub_parser_split_cmdline() expands variable names present in the supplied
> command line in to their corresponding variable contents and uses a 1kB stack
> buffer for temporary storage without sufficient bounds checking. If the
> function is called with a command line that references a variable with a
> sufficiently large payload, it is possible to overflow the stack buffer,
> corrupt the stack frame and control execution. An attacker may use this to
> circumvent Secure Boot protections.
>
> Reported-by: Chris Coulson (Canonical)
>
> *******************************************************************************
>
> CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
> memory regions when Secure Boot is enabled
> CWE-285
> 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
> privileged attacker to remove address ranges from memory creating an
> opportunity to circumvent Secure Boot protections after proper triage about
> grub's memory layout.
>
> Reported-by: Teddy Reed
>
> *******************************************************************************
>
> CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
> CWE-281
> 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
>
> The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
> specific flaw which made upstream in the mentioned version.
>
> If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
> directly. It will then boot any kernel without signature validation. The booted
> kernel will think it was booted in Secure Boot mode and will implement lock
> down, yet it could have been tampered.
>
> This flaw only affects upstream and distributions using the shim_lock verifier.
>
> Reported-by: Dimitri John Ledkov (Canonical)
>
> *******************************************************************************
>
> CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
> CWE-787
> 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> The option parser in GRUB2 allows an attacker to write past the end of
> a heap-allocated buffer by calling certain commands with a large number
> of specific short forms of options.
>
> Reported-by: Daniel Axtens (IBM)
>
> *******************************************************************************
>
> CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
> space required for quoting
> CWE-787
> 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
>
> There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
> rendering code performs a length calculation on the assumption that expressing
> a quoted single quote will require 3 characters, while it actually requires
> 4 characters. This allow an attacker to corrupt memory by one byte for each
> quote in the input.
>
> Reported-by: Daniel Axtens (IBM)
>
> *******************************************************************************
>
> acinclude.m4 | 38 ++-
> bootstrap.conf | 3 +-
> conf/Makefile.common | 2 +
> conf/Makefile.extra-dist | 5 +
> configure.ac | 44 ++-
> docs/grub-dev.texi | 27 ++
> docs/grub.texi | 106 +++++--
> grub-core/Makefile.am | 7 +-
> grub-core/Makefile.core.def | 14 +-
> grub-core/bus/usb/usb.c | 15 +-
> grub-core/commands/acpi.c | 15 +-
> grub-core/commands/efi/loadbios.c | 16 +-
> grub-core/commands/efi/shim_lock.c | 133 ---------
> grub-core/commands/extcmd.c | 23 ++
> grub-core/commands/hashsum.c | 15 +-
> grub-core/commands/hdparm.c | 6 +-
> grub-core/commands/i386/wrmsr.c | 5 +-
> grub-core/commands/iorw.c | 19 +-
> grub-core/commands/ls.c | 2 +-
> grub-core/commands/memrw.c | 19 +-
> grub-core/commands/menuentry.c | 2 +-
> grub-core/commands/minicmd.c | 7 +-
> grub-core/commands/probe.c | 6 +-
> grub-core/commands/setpci.c | 8 +-
> grub-core/disk/cryptodisk.c | 8 +-
> grub-core/disk/ldm.c | 62 +++-
> grub-core/disk/lvm.c | 101 ++++++-
> grub-core/fs/affs.c | 18 +-
> grub-core/fs/btrfs.c | 7 +-
> grub-core/fs/fshelp.c | 12 +
> grub-core/fs/hfs.c | 7 +-
> grub-core/fs/hfsplus.c | 27 ++
> grub-core/fs/jfs.c | 19 +-
> grub-core/fs/nilfs2.c | 56 ++--
> grub-core/fs/sfs.c | 9 +-
> grub-core/fs/zfs/zfs.c | 43 ++-
> grub-core/fs/zfs/zfsinfo.c | 4 +-
> grub-core/gdb/gdb.c | 32 ++-
> grub-core/gfxmenu/gui_label.c | 4 +
> grub-core/gfxmenu/gui_list.c | 2 +-
> grub-core/gfxmenu/gui_progress_bar.c | 3 +
> grub-core/io/gzio.c | 44 ++-
> grub-core/io/lzopio.c | 4 -
> grub-core/kern/buffer.c | 117 ++++++++
> grub-core/kern/command.c | 24 ++
> grub-core/kern/dl.c | 9 +
> grub-core/kern/efi/efi.c | 1 +
> grub-core/kern/efi/init.c | 66 +++++
> grub-core/kern/efi/mm.c | 19 +-
> grub-core/kern/efi/sb.c | 79 +++++
> grub-core/kern/lockdown.c | 84 ++++++
> grub-core/kern/main.c | 4 +
> grub-core/kern/misc.c | 110 ++++++-
> grub-core/kern/mm.c | 2 +-
> grub-core/kern/parser.c | 203 ++++++++-----
> grub-core/kern/partition.c | 5 +-
> grub-core/{commands => kern}/verifiers.c | 8 +-
> grub-core/lib/arg.c | 13 +
> .../lib/gnulib-patches/fix-null-state-deref.patch | 12 +
> .../gnulib-patches/fix-regcomp-uninit-token.patch | 15 +
> .../gnulib-patches/fix-regexec-null-deref.patch | 12 +
> .../lib/gnulib-patches/fix-uninit-structure.patch | 11 +
> .../lib/gnulib-patches/fix-unused-value.patch | 14 +
> grub-core/lib/libgcrypt/mpi/mpicoder.c | 5 +-
> grub-core/lib/syslinux_parse.c | 6 +-
> grub-core/lib/zstd/zstd_decompress.c | 2 +-
> grub-core/loader/arm/linux.c | 6 +-
> grub-core/loader/efi/fdt.c | 4 +-
> grub-core/loader/i386/bsd.c | 4 +-
> grub-core/loader/xnu.c | 65 +++--
> grub-core/mmap/mmap.c | 15 +-
> grub-core/net/net.c | 9 +-
> grub-core/net/tftp.c | 1 +
> grub-core/normal/completion.c | 10 +-
> grub-core/script/execute.c | 7 +-
> grub-core/term/gfxterm.c | 9 +
> grub-core/video/efi_gop.c | 25 +-
> grub-core/video/fb/fbfill.c | 17 +-
> grub-core/video/fb/video_fb.c | 60 ++--
> grub-core/video/readers/jpeg.c | 26 ++
> include/grub/buffer.h | 144 ++++++++++
> include/grub/command.h | 5 +
> include/grub/dl.h | 8 +-
> include/grub/efi/api.h | 19 ++
> include/grub/efi/sb.h | 3 +
> include/grub/extcmd.h | 7 +
> include/grub/hfsplus.h | 2 +
> include/grub/kernel.h | 3 +-
> include/grub/lockdown.h | 44 +++
> include/grub/misc.h | 16 ++
> include/grub/stack_protector.h | 30 ++
> include/grub/usb.h | 10 +-
> include/grub/util/install.h | 11 +-
> include/grub/util/mkimage.h | 1 +
> include/grub/verify.h | 9 +-
> util/glue-efi.c | 14 +-
> util/grub-editenv.c | 8 +-
> util/grub-install-common.c | 22 +-
> util/grub-install.c | 4 +
> util/grub-mkimage.c | 21 +-
> util/grub.d/30_os-prober.in | 5 +-
> util/mkimage.c | 317 +++++++++++----------
> 102 files changed, 2115 insertions(+), 666 deletions(-)
>
> Alex Burmashev (1):
> templates: Disable the os-prober by default
>
> Chris Coulson (8):
> commands/hashsum: Fix a memory leak
> kern/parser: Fix a memory leak
> kern/parser: Introduce process_char() helper
> kern/parser: Introduce terminate_arg() helper
> kern/parser: Refactor grub_parser_split_cmdline() cleanup
> kern/buffer: Add variable sized heap buffer
> kern/parser: Fix a stack buffer overflow
> kern/efi: Add initial stack protector implementation
>
> Daniel Axtens (35):
> script/execute: Fix NULL dereference in grub_script_execute_cmdline()
> commands/ls: Require device_name is not NULL before printing
> script/execute: Avoid crash when using "$#" outside a function scope
> lib/arg: Block repeated short options that require an argument
> script/execute: Don't crash on a "for" loop with no items
> commands/menuentry: Fix quoting in setparams_prefix()
> kern/misc: Always set *end in grub_strtoull()
> video/readers/jpeg: Catch files with unsupported quantization or Huffman tables
> video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
> video/readers/jpeg: Don't decode data before start of stream
> term/gfxterm: Don't set up a font with glyphs that are too big
> fs/fshelp: Catch impermissibly large block sizes in read helper
> fs/hfsplus: Don't fetch a key beyond the end of the node
> fs/hfsplus: Don't use uninitialized data on corrupt filesystems
> fs/hfs: Disable under lockdown
> fs/sfs: Fix over-read of root object name
> fs/jfs: Do not move to leaf level if name length is negative
> fs/jfs: Limit the extents that getblk() can consider
> fs/jfs: Catch infinite recursion
> fs/nilfs2: Reject too-large keys
> fs/nilfs2: Don't search children if provided number is too large
> fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
> io/gzio: Bail if gzio->tl/td is NULL
> io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
> io/gzio: Catch missing values in huft_build() and bail
> io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails
> disk/lvm: Don't go beyond the end of the data we read from disk
> disk/lvm: Don't blast past the end of the circular metadata buffer
> disk/lvm: Bail on missing PV list
> disk/lvm: Do not crash if an expected string is not found
> disk/lvm: Do not overread metadata
> disk/lvm: Sanitize rlocn->offset to prevent wild read
> disk/lvm: Do not allow a LV to be it's own segment's node's LV
> fs/btrfs: Validate the number of stripes/parities in RAID5/6
> fs/btrfs: Squash some uninitialized reads
>
> Daniel Kiper (1):
> util/grub-install: Fix NULL pointer dereferences
>
> Darren Kenny (36):
> mmap: Fix memory leak when iterating over mapped memory
> net/net: Fix possible dereference to of a NULL pointer
> net/tftp: Fix dangling memory pointer
> kern/parser: Fix resource leak if argc == 0
> kern/efi: Fix memory leak on failure
> kern/efi/mm: Fix possible NULL pointer dereference
> gnulib/regexec: Resolve unused variable
> gnulib/regcomp: Fix uninitialized token structure
> gnulib/argp-help: Fix dereference of a possibly NULL state
> gnulib/regexec: Fix possible null-dereference
> gnulib/regcomp: Fix uninitialized re_token
> io/lzopio: Resolve unnecessary self-assignment errors
> zstd: Initialize seq_t structure fully
> kern/partition: Check for NULL before dereferencing input string
> disk/ldm: Fix memory leak on uninserted lv references
> disk/cryptodisk: Fix potential integer overflow
> hfsplus: Check that the volume name length is valid
> zfs: Fix possible negative shift operation
> zfs: Fix possible integer overflows
> zfsinfo: Correct a check for error allocating memory
> affs: Fix memory leaks
> libgcrypt/mpi: Fix possible unintended sign extension
> libgcrypt/mpi: Fix possible NULL dereference
> syslinux: Fix memory leak while parsing
> normal/completion: Fix leaking of memory when processing a completion
> commands/probe: Fix a resource leak when probing disks
> video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info()
> video/fb/fbfill: Fix potential integer overflow
> video/fb/video_fb: Fix multiple integer overflows
> video/fb/video_fb: Fix possible integer overflow
> video/readers/jpeg: Test for an invalid next marker reference from a jpeg file
> gfxmenu/gui_list: Remove code that coverity is flagging as dead
> loader/bsd: Check for NULL arg up-front
> loader/xnu: Fix memory leak
> util/grub-editenv: Fix incorrect casting of a signed value
> util/glue-efi: Fix incorrect use of a possibly negative value
>
> Dimitri John Ledkov (2):
> grub-install-common: Add --sbat option
> shim_lock: Only skip loading shim_lock verifier with explicit consent
>
> Javier Martinez Canillas (15):
> kern: Add lockdown support
> kern/lockdown: Set a variable if the GRUB is locked down
> efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
> efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list
> acpi: Don't register the acpi command when locked down
> mmap: Don't register cutmem and badram commands when lockdown is enforced
> commands: Restrict commands that can load BIOS or DT blobs when locked down
> commands/setpci: Restrict setpci command when locked down
> commands/hdparm: Restrict hdparm command when locked down
> gdb: Restrict GDB access when locked down
> loader/xnu: Don't allow loading extension and packages when locked down
> docs: Document the cutmem command
> dl: Only allow unloading modules that are not dependencies
> usb: Avoid possible out-of-bound accesses caused by malicious devices
> util/mkimage: Remove unused code to add BSS section
>
> Marco A Benatto (5):
> verifiers: Move verifiers API to kernel image
> efi: Move the shim_lock verifier to the GRUB core
> disk/ldm: Make sure comp data is freed before exiting from make_vg()
> loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap()
> kern/mm: Fix grub_debug_calloc() compilation error
>
> Paulo Flabiano Smorigo (3):
> disk/ldm: If failed then free vg variable too
> zfs: Fix resource leaks while constructing path
> loader/xnu: Check if pointer is NULL before using it
>
> Peter Jones (7):
> util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32()
> util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff
> util/mkimage: Unify more of the PE32 and PE32+ header set-up
> util/mkimage: Reorder PE optional header fields set-up
> util/mkimage: Improve data_size value calculation
> util/mkimage: Refactor section setup to use a helper
> util/mkimage: Add an option to import SBAT metadata into a .sbat section
>
> Thomas Frauendorfer | Miray Software (4):
> kern/misc: Split parse_printf_args() into format parsing and va_list handling
> kern/misc: Add STRING type for internal printf() format handling
> kern/misc: Add function to check printf() format against expected format
> gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
