[ASA-202106-43] grub: multiple issues
Jonas Witschel
diabonas at archlinux.org
Fri Jun 18 15:49:16 UTC 2021
Arch Linux Security Advisory ASA-202106-43
==========================================
Severity: Medium
Date : 2021-06-15
CVE-ID : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749
CVE-2020-27779 CVE-2021-20225 CVE-2021-20233
Package : grub
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-1629
Summary
=======
The package grub before version 2:2.06-1 is vulnerable to multiple
issues including access restriction bypass and arbitrary code
execution.
Resolution
==========
Upgrade to 2:2.06-1.
# pacman -Syu "grub>=2:2.06-1"
The problems have been fixed upstream in version 2.06.
Workaround
==========
None.
Description
===========
- CVE-2020-14372 (arbitrary code execution)
GRUB2 enables the use of the command acpi even when secure boot is
signaled by the firmware. An attacker with local root privileges can
drop a small SSDT in /boot/efi and modify grub.cfg to instruct grub to
load said SSDT. The SSDT then gets run by the kernel and it overwrites
the kernel lockdown configuration enabling the attacker to load
unsigned kernel modules and kexec unsigned code.
- CVE-2020-25632 (arbitrary code execution)
The rmmod implementation for grub2 is flawed, allowing an attacker to
unload a module used as a dependency without checking if any other
dependent module is still loaded. This leads to a use-after-free
scenario possibly allowing an attacker to execute arbitrary code and
by-pass Secure Boot protections.
- CVE-2020-25647 (arbitrary code execution)
grub_usb_device_initialize() is called to handle USB device
initialization. It reads out the descriptors it needs from the USB
device and uses that data to fill in some USB data structures.
grub_usb_device_initialize() performs very little bounds checking and
simply assumes the USB device provides sane values. This behavior can
trigger memory corruption. If properly exploited, this would lead to
arbitrary code execution allowing the attacker to bypass the Secure
Boot mechanism.
- CVE-2020-27749 (arbitrary code execution)
grub_parser_split_cmdline() expands variable names present in the
supplied command line in to their corresponding variable contents and
uses a 1kB stack buffer for temporary storage without sufficient bounds
checking. If the function is called with a command line that references
a variable with a sufficiently large payload, it is possible to
overflow the stack buffer, corrupt the stack frame and control
execution. An attacker may use this to circumvent Secure Boot
protections.
- CVE-2020-27779 (access restriction bypass)
The GRUB2's cutmem command does not honor Secure Boot locking. This
allows an privileged attacker to remove address ranges from memory
creating an opportunity to circumvent Secure Boot protections after
proper triage of grub's memory layout.
- CVE-2021-20225 (arbitrary code execution)
The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.
- CVE-2021-20233 (arbitrary code execution)
There's a flaw in GRUB2 menu rendering code setparam_prefix() in the
menu rendering code. It performs a length calculation under the
assumption that expressing a quoted single quote will require 3
characters, while it actually requires 4 characters. This allow an
attacker to corrupt memory by one byte for each quote in the input.
Impact
======
When secure boot is enabled, complete subversion of the integrity
prospects can be achieved through malicious use of existing commands,
side-loaded modules, command acpi, rmmod, variable referencing and
option parsers.
References
==========
https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e8e4c0549240fa209acffceb473e1e509b50c95
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=7630ec5397fe418276b360f9011934b8c034936c
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=128c16a682034263eb519c89bc0934eeb6fa8cfa
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=2a330dba93ff11bc00eda76e9419bc52b0c7ead6
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33
https://security.archlinux.org/CVE-2020-14372
https://security.archlinux.org/CVE-2020-25632
https://security.archlinux.org/CVE-2020-25647
https://security.archlinux.org/CVE-2020-27749
https://security.archlinux.org/CVE-2020-27779
https://security.archlinux.org/CVE-2021-20225
https://security.archlinux.org/CVE-2021-20233
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210618/0c6e6c0d/attachment.sig>
More information about the arch-security
mailing list