==================================================================== CERT-Renater Note d'Information No. 2021/VULN135 _____________________________________________________________________ DATE : 04/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GRUB2. ===================================================================== https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html _____________________________________________________________________ Hi all, The BootHole vulnerability [1][2] announced last year encouraged many people to take a closer look at the security of boot process in general and the GRUB bootloader in particular. Due to that, during past few months we were getting reports of, and also discovering various security flaws in the GRUB ourselves. You can find the list of most severe ones which got CVEs assigned at the end of this message. The patch bundle fixing all these issues in the upstream GRUB contains 117 patches. In addition, we have been working on a generation number based revocation scheme termed UEFI Secure Boot Advanced Targeting (SBAT) [3]. This will require an UEFI dbx release and resigning all the artifacts -- shim, GRUB, kernel, etc. -- needed to boot the system. This is the same as we did for the BootHole series of vulnerabilities, but the SBAT work is designed to make this process much less painful in the future. Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available. Here [4] we are listing at least some links to the messaging known at the time of this posting. It is important to know that shim and SBAT development is still ongoing. Full mitigation against all the CVEs will require an updated UEFI revocation list (dbx) which, in at least some cases, will not allow Secure Boot with today's boot artifacts. Vendor shims may explicitly permit known older boot artifacts to boot. At some stage, the dbx on new hardware will be updated. Updated GRUB2, shim and other boot artifacts from all the affected vendors will be made available when the embargo lifts or some time thereafter. An updated dbx from the various affected vendors will also ship, although possibly not at the same time. The new Microsoft dbx will be provided for download here [5]. I am posting all the GRUB2 upstream patches which fixes all security bugs found and reported up until now. Major Linux distros carry or will carry soon one form or another of these patches. Now all the GRUB2 upstream patches are in the GRUB2 git repository [6] too. In particular I would like to thank, in alphabetical order, the following people who were working really hard on the GRUB, shim and other things related to these issues: - Alexander Burmashev (Oracle), - Chris Co (Microsoft), - Chris Coulson (Canonical), - Cliff Perry (Red Hat), - Colin Watson (Debian), - D. Jared Dominguez (Red Hat), - Daniel Axtens (IBM), - Darren Kenny (Oracle), - Dimitri John Ledkov (Canonical), - Eric Snowberg (Oracle), - Ilja Van Sprundel (IOActive), - Ilya Okomin (Oracle), - Jan Setje-Eilers (Oracle), - Javier Martinez Canillas (Red Hat), - Jeremiah Cox (Microsoft), - John Haxby (Oracle), - Jordan Geurten (Microsoft), - Joseph Tartaro (IOActive), - Julian Andres Klode (Canonical), - Marco A Benatto (Red Hat), - Mario Limonciello (Dell), - Mathieu Trudel-Lapierre (Stack8), - Matthew Garrett (Google), - Máté Kukri, - Noam Rathaus (SSD Secure Disclosure), - NyankoSec (SSD Secure Disclosure), - Paulo Flabiano Smorigo (Canonical), - Peter Jones (Red Hat), - Richard Hughes (Red Hat), - Sarah Jacobus (Microsoft), - Steve McIntyre (Debian), - Teddy Reed, - Thomas Frauendorfer (Miray Software), - Ulrich Bauer (Miray Software), - Yves-Alexis Perez (Debian). We would not be able to succeed without all your hard work. It was very big pleasure to work with you all. Thank you! Daniel [1] https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html [2] https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ [3] https://github.com/rhboot/shim/blob/main/SBAT.md [4] Canonical: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021 Debian: https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot Red Hat: https://access.redhat.com/security/vulnerabilities/RHSB-2021-003 SUSE: https://www.suse.com/support/kb/doc/?id=000019892 [5] https://uefi.org/revocationlistfile [6] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository https://git.savannah.gnu.org/git/grub.git ******************************************************************************* CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled CWE-184 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H GRUB2 enables the use of the command acpi even when Secure Boot is signaled by the firmware. An attacker with local root privileges to can drop a small SSDT in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT then gets run by the kernel and it overwrites the kernel lock down configuration enabling the attacker to load unsigned kernel modules and kexec unsigned code. Reported-by: Máté Kukri ******************************************************************************* CVE-2020-25632 grub2: Use-after-free in rmmod command CWE-416 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload a module used as dependency without checking if any other dependent module is still loaded. This leads to an use-after-free scenario possibly allowing an attacker to execute arbitrary code and by- pass Secure Boot protections. Reported-by: Chris Coulson (Canonical) ******************************************************************************* CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize() CWE-787 6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to by-pass Secure Boot mechanism. Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive) ******************************************************************************* CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline CWE-121 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution. An attacker may use this to circumvent Secure Boot protections. Reported-by: Chris Coulson (Canonical) ******************************************************************************* CVE-2020-27779 grub2: The cutmem command allows privileged user to remove memory regions when Secure Boot is enabled CWE-285 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H The GRUB2's cutmem command does not honor Secure Boot locking. This allows an privileged attacker to remove address ranges from memory creating an opportunity to circumvent Secure Boot protections after proper triage about grub's memory layout. Reported-by: Teddy Reed ******************************************************************************* CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705 CWE-281 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro specific flaw which made upstream in the mentioned version. If certificates that signed GRUB2 are installed into db, GRUB2 can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in Secure Boot mode and will implement lock down, yet it could have been tampered. This flaw only affects upstream and distributions using the shim_lock verifier. Reported-by: Dimitri John Ledkov (Canonical) ******************************************************************************* CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser CWE-787 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. Reported-by: Daniel Axtens (IBM) ******************************************************************************* CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of space required for quoting CWE-787 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. This allow an attacker to corrupt memory by one byte for each quote in the input. Reported-by: Daniel Axtens (IBM) ******************************************************************************* acinclude.m4 | 38 ++- bootstrap.conf | 3 +- conf/Makefile.common | 2 + conf/Makefile.extra-dist | 5 + configure.ac | 44 ++- docs/grub-dev.texi | 27 ++ docs/grub.texi | 106 +++++-- grub-core/Makefile.am | 7 +- grub-core/Makefile.core.def | 14 +- grub-core/bus/usb/usb.c | 15 +- grub-core/commands/acpi.c | 15 +- grub-core/commands/efi/loadbios.c | 16 +- grub-core/commands/efi/shim_lock.c | 133 --------- grub-core/commands/extcmd.c | 23 ++ grub-core/commands/hashsum.c | 15 +- grub-core/commands/hdparm.c | 6 +- grub-core/commands/i386/wrmsr.c | 5 +- grub-core/commands/iorw.c | 19 +- grub-core/commands/ls.c | 2 +- grub-core/commands/memrw.c | 19 +- grub-core/commands/menuentry.c | 2 +- grub-core/commands/minicmd.c | 7 +- grub-core/commands/probe.c | 6 +- grub-core/commands/setpci.c | 8 +- grub-core/disk/cryptodisk.c | 8 +- grub-core/disk/ldm.c | 62 +++- grub-core/disk/lvm.c | 101 ++++++- grub-core/fs/affs.c | 18 +- grub-core/fs/btrfs.c | 7 +- grub-core/fs/fshelp.c | 12 + grub-core/fs/hfs.c | 7 +- grub-core/fs/hfsplus.c | 27 ++ grub-core/fs/jfs.c | 19 +- grub-core/fs/nilfs2.c | 56 ++-- grub-core/fs/sfs.c | 9 +- grub-core/fs/zfs/zfs.c | 43 ++- grub-core/fs/zfs/zfsinfo.c | 4 +- grub-core/gdb/gdb.c | 32 ++- grub-core/gfxmenu/gui_label.c | 4 + grub-core/gfxmenu/gui_list.c | 2 +- grub-core/gfxmenu/gui_progress_bar.c | 3 + grub-core/io/gzio.c | 44 ++- grub-core/io/lzopio.c | 4 - grub-core/kern/buffer.c | 117 ++++++++ grub-core/kern/command.c | 24 ++ grub-core/kern/dl.c | 9 + grub-core/kern/efi/efi.c | 1 + grub-core/kern/efi/init.c | 66 +++++ grub-core/kern/efi/mm.c | 19 +- grub-core/kern/efi/sb.c | 79 +++++ grub-core/kern/lockdown.c | 84 ++++++ grub-core/kern/main.c | 4 + grub-core/kern/misc.c | 110 ++++++- grub-core/kern/mm.c | 2 +- grub-core/kern/parser.c | 203 ++++++++----- grub-core/kern/partition.c | 5 +- grub-core/{commands => kern}/verifiers.c | 8 +- grub-core/lib/arg.c | 13 + .../lib/gnulib-patches/fix-null-state-deref.patch | 12 + .../gnulib-patches/fix-regcomp-uninit-token.patch | 15 + .../gnulib-patches/fix-regexec-null-deref.patch | 12 + .../lib/gnulib-patches/fix-uninit-structure.patch | 11 + .../lib/gnulib-patches/fix-unused-value.patch | 14 + grub-core/lib/libgcrypt/mpi/mpicoder.c | 5 +- grub-core/lib/syslinux_parse.c | 6 +- grub-core/lib/zstd/zstd_decompress.c | 2 +- grub-core/loader/arm/linux.c | 6 +- grub-core/loader/efi/fdt.c | 4 +- grub-core/loader/i386/bsd.c | 4 +- grub-core/loader/xnu.c | 65 +++-- grub-core/mmap/mmap.c | 15 +- grub-core/net/net.c | 9 +- grub-core/net/tftp.c | 1 + grub-core/normal/completion.c | 10 +- grub-core/script/execute.c | 7 +- grub-core/term/gfxterm.c | 9 + grub-core/video/efi_gop.c | 25 +- grub-core/video/fb/fbfill.c | 17 +- grub-core/video/fb/video_fb.c | 60 ++-- grub-core/video/readers/jpeg.c | 26 ++ include/grub/buffer.h | 144 ++++++++++ include/grub/command.h | 5 + include/grub/dl.h | 8 +- include/grub/efi/api.h | 19 ++ include/grub/efi/sb.h | 3 + include/grub/extcmd.h | 7 + include/grub/hfsplus.h | 2 + include/grub/kernel.h | 3 +- include/grub/lockdown.h | 44 +++ include/grub/misc.h | 16 ++ include/grub/stack_protector.h | 30 ++ include/grub/usb.h | 10 +- include/grub/util/install.h | 11 +- include/grub/util/mkimage.h | 1 + include/grub/verify.h | 9 +- util/glue-efi.c | 14 +- util/grub-editenv.c | 8 +- util/grub-install-common.c | 22 +- util/grub-install.c | 4 + util/grub-mkimage.c | 21 +- util/grub.d/30_os-prober.in | 5 +- util/mkimage.c | 317 +++++++++++---------- 102 files changed, 2115 insertions(+), 666 deletions(-) Alex Burmashev (1): templates: Disable the os-prober by default Chris Coulson (8): commands/hashsum: Fix a memory leak kern/parser: Fix a memory leak kern/parser: Introduce process_char() helper kern/parser: Introduce terminate_arg() helper kern/parser: Refactor grub_parser_split_cmdline() cleanup kern/buffer: Add variable sized heap buffer kern/parser: Fix a stack buffer overflow kern/efi: Add initial stack protector implementation Daniel Axtens (35): script/execute: Fix NULL dereference in grub_script_execute_cmdline() commands/ls: Require device_name is not NULL before printing script/execute: Avoid crash when using "$#" outside a function scope lib/arg: Block repeated short options that require an argument script/execute: Don't crash on a "for" loop with no items commands/menuentry: Fix quoting in setparams_prefix() kern/misc: Always set *end in grub_strtoull() video/readers/jpeg: Catch files with unsupported quantization or Huffman tables video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du() video/readers/jpeg: Don't decode data before start of stream term/gfxterm: Don't set up a font with glyphs that are too big fs/fshelp: Catch impermissibly large block sizes in read helper fs/hfsplus: Don't fetch a key beyond the end of the node fs/hfsplus: Don't use uninitialized data on corrupt filesystems fs/hfs: Disable under lockdown fs/sfs: Fix over-read of root object name fs/jfs: Do not move to leaf level if name length is negative fs/jfs: Limit the extents that getblk() can consider fs/jfs: Catch infinite recursion fs/nilfs2: Reject too-large keys fs/nilfs2: Don't search children if provided number is too large fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup() io/gzio: Bail if gzio->tl/td is NULL io/gzio: Add init_dynamic_block() clean up if unpacking codes fails io/gzio: Catch missing values in huft_build() and bail io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails disk/lvm: Don't go beyond the end of the data we read from disk disk/lvm: Don't blast past the end of the circular metadata buffer disk/lvm: Bail on missing PV list disk/lvm: Do not crash if an expected string is not found disk/lvm: Do not overread metadata disk/lvm: Sanitize rlocn->offset to prevent wild read disk/lvm: Do not allow a LV to be it's own segment's node's LV fs/btrfs: Validate the number of stripes/parities in RAID5/6 fs/btrfs: Squash some uninitialized reads Daniel Kiper (1): util/grub-install: Fix NULL pointer dereferences Darren Kenny (36): mmap: Fix memory leak when iterating over mapped memory net/net: Fix possible dereference to of a NULL pointer net/tftp: Fix dangling memory pointer kern/parser: Fix resource leak if argc == 0 kern/efi: Fix memory leak on failure kern/efi/mm: Fix possible NULL pointer dereference gnulib/regexec: Resolve unused variable gnulib/regcomp: Fix uninitialized token structure gnulib/argp-help: Fix dereference of a possibly NULL state gnulib/regexec: Fix possible null-dereference gnulib/regcomp: Fix uninitialized re_token io/lzopio: Resolve unnecessary self-assignment errors zstd: Initialize seq_t structure fully kern/partition: Check for NULL before dereferencing input string disk/ldm: Fix memory leak on uninserted lv references disk/cryptodisk: Fix potential integer overflow hfsplus: Check that the volume name length is valid zfs: Fix possible negative shift operation zfs: Fix possible integer overflows zfsinfo: Correct a check for error allocating memory affs: Fix memory leaks libgcrypt/mpi: Fix possible unintended sign extension libgcrypt/mpi: Fix possible NULL dereference syslinux: Fix memory leak while parsing normal/completion: Fix leaking of memory when processing a completion commands/probe: Fix a resource leak when probing disks video/efi_gop: Remove unnecessary return value of grub_video_gop_fill_mode_info() video/fb/fbfill: Fix potential integer overflow video/fb/video_fb: Fix multiple integer overflows video/fb/video_fb: Fix possible integer overflow video/readers/jpeg: Test for an invalid next marker reference from a jpeg file gfxmenu/gui_list: Remove code that coverity is flagging as dead loader/bsd: Check for NULL arg up-front loader/xnu: Fix memory leak util/grub-editenv: Fix incorrect casting of a signed value util/glue-efi: Fix incorrect use of a possibly negative value Dimitri John Ledkov (2): grub-install-common: Add --sbat option shim_lock: Only skip loading shim_lock verifier with explicit consent Javier Martinez Canillas (15): kern: Add lockdown support kern/lockdown: Set a variable if the GRUB is locked down efi: Lockdown the GRUB when the UEFI Secure Boot is enabled efi: Use grub_is_lockdown() instead of hardcoding a disabled modules list acpi: Don't register the acpi command when locked down mmap: Don't register cutmem and badram commands when lockdown is enforced commands: Restrict commands that can load BIOS or DT blobs when locked down commands/setpci: Restrict setpci command when locked down commands/hdparm: Restrict hdparm command when locked down gdb: Restrict GDB access when locked down loader/xnu: Don't allow loading extension and packages when locked down docs: Document the cutmem command dl: Only allow unloading modules that are not dependencies usb: Avoid possible out-of-bound accesses caused by malicious devices util/mkimage: Remove unused code to add BSS section Marco A Benatto (5): verifiers: Move verifiers API to kernel image efi: Move the shim_lock verifier to the GRUB core disk/ldm: Make sure comp data is freed before exiting from make_vg() loader/xnu: Free driverkey data when an error is detected in grub_xnu_writetree_toheap() kern/mm: Fix grub_debug_calloc() compilation error Paulo Flabiano Smorigo (3): disk/ldm: If failed then free vg variable too zfs: Fix resource leaks while constructing path loader/xnu: Check if pointer is NULL before using it Peter Jones (7): util/mkimage: Use grub_host_to_target32() instead of grub_cpu_to_le32() util/mkimage: Always use grub_host_to_target32() to initialize PE stack and heap stuff util/mkimage: Unify more of the PE32 and PE32+ header set-up util/mkimage: Reorder PE optional header fields set-up util/mkimage: Improve data_size value calculation util/mkimage: Refactor section setup to use a helper util/mkimage: Add an option to import SBAT metadata into a .sbat section Thomas Frauendorfer | Miray Software (4): kern/misc: Split parse_printf_args() into format parsing and va_list handling kern/misc: Add STRING type for internal printf() format handling kern/misc: Add function to check printf() format against expected format gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================