ASA-202106-43 log generated external raw

[ASA-202106-43] grub: multiple issues
Arch Linux Security Advisory ASA-202106-43 ========================================== Severity: Medium Date : 2021-06-15 CVE-ID : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 Package : grub Type : multiple issues Remote : No Link : Summary ======= The package grub before version 2:2.06-1 is vulnerable to multiple issues including access restriction bypass and arbitrary code execution. Resolution ========== Upgrade to 2:2.06-1. # pacman -Syu "grub>=2:2.06-1" The problems have been fixed upstream in version 2.06. Workaround ========== None. Description =========== - CVE-2020-14372 (arbitrary code execution) GRUB2 enables the use of the command acpi even when secure boot is signaled by the firmware. An attacker with local root privileges can drop a small SSDT in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT then gets run by the kernel and it overwrites the kernel lockdown configuration enabling the attacker to load unsigned kernel modules and kexec unsigned code. - CVE-2020-25632 (arbitrary code execution) The rmmod implementation for grub2 is flawed, allowing an attacker to unload a module used as a dependency without checking if any other dependent module is still loaded. This leads to a use-after-free scenario possibly allowing an attacker to execute arbitrary code and by-pass Secure Boot protections. - CVE-2020-25647 (arbitrary code execution) grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to bypass the Secure Boot mechanism. - CVE-2020-27749 (arbitrary code execution) grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution. An attacker may use this to circumvent Secure Boot protections. - CVE-2020-27779 (access restriction bypass) The GRUB2's cutmem command does not honor Secure Boot locking. This allows an privileged attacker to remove address ranges from memory creating an opportunity to circumvent Secure Boot protections after proper triage of grub's memory layout. - CVE-2021-20225 (arbitrary code execution) The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. - CVE-2021-20233 (arbitrary code execution) There's a flaw in GRUB2 menu rendering code setparam_prefix() in the menu rendering code. It performs a length calculation under the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. This allow an attacker to corrupt memory by one byte for each quote in the input. Impact ====== When secure boot is enabled, complete subversion of the integrity prospects can be achieved through malicious use of existing commands, side-loaded modules, command acpi, rmmod, variable referencing and option parsers. References ==========;a=commit;h=3e8e4c0549240fa209acffceb473e1e509b50c95;a=commit;h=7630ec5397fe418276b360f9011934b8c034936c;a=commit;h=128c16a682034263eb519c89bc0934eeb6fa8cfa;a=commit;h=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6;a=commit;h=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9;a=commit;h=2a330dba93ff11bc00eda76e9419bc52b0c7ead6;a=commit;h=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33