A new set of new security flaws affecting the GRUB2 bootloader used in numerous Linux-based operating systems was recently disclosed and patches are now starting to arrive for popular distros.
Remember last year’s BootHole security vulnerabilities? Well, it looks like no less than eight (8) new security flaws were discovered in the GRUB2 bootloader allowing attackers to bypass UEFI Secure Boot, and it affects almost all GNU/Linux distributions using GRUB2 versions prior to 2.06.
These include CVE-2020-14372, which allows a privileged user to load crafted ACPI tables when Secure Boot is enabled, and CVE-2021-20233, which lets an attacker with local root privileges to drop a small SSDT in /boot/efi and modify grub.cfg to instruct the GRUB bootloader to load said SSDT and overwrite the kernel lockdown configuration, thus enabling the attacker to load unsigned kernel modules and kexec unsigned code.
Also discovered was CVE-2020-25632, a use-after-free flaw in the rmmod command that allow an attacker to corrupt memory by one byte for each quote in the input, CVE-2020-27779, a flaw in the cutmem command that allows a privileged user to disable Secure Boot protections, as well as CVE-2021-20225, a flaw that allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options.
CVE-2020-27749 was fixed as well, a stack buffer overflow in grub_parser_split_cmdline that could allow an attacker to circumvent Secure Boot protections. Same goes for CVE-2020-25647, a vulnerability affecting the GRUB2 USB module that could allow a local user to execute arbitrary code when Secure Boot is enabled, and CVE-2021-3418, a flaw that made GRUB2 to fail to validate kernel signatures when booted directly without shim, thus allowing attackers to bypass Secure Boot.
Patches for these new GRUB2 security vulnerabilities have starting rolling out to popular GNU/Linux distributions, including Debian GNU/Linux, which appears to be among the first to get the fixes for its Debian GNU/Linux 10 “Buster” operating system series. Users are urged to update their Debian Buster installations to GRUB2 2.02+dfsg1-20+deb10u4.
The Debian Project said that the next point release in the Debian Buster series, Debian GNU/Linux 10.9, will include the patched GRUB2 version so it won’t affect newer installations. It also looks like earlier images may stop working with Secure Boot in the future, according to the Debian Project.
In addition to updating the GRUB2 bootloader, users will also have to update the Linux kernel, shim, fwupdate, fwupd, as well as the signing keys and certificates for the Secure Boot packages.
Many popular Linux distros are working on offering patched versions of GRUB2 and other components affected by the new security vulnerabilities. These include Ubuntu, Arch Linux, Red Hat Enterprise Linux, Fedora Linux, SUSE Enterprise Linux, openSUSE Linux, and many others.
I will update this article in time to inform you when the patched GRUB2 packages are available for any other distributions. Meanwhile, make sure you always have the latest updates for your distro installed. More details about the new GRUB2 security vulnerabilities and their implications in various distros are available here, here, here, and here.
Update 10/03/21: Manjaro Linux now offers updated GRUB2 packages in all of their branches.
Image credits: Canonical
Last updated 8 months ago