Arch Linux Security Advisory ASA-202106-43 ========================================== Severity: Medium Date : 2021-06-15 CVE-ID : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 Package : grub Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-1629 Summary ======= The package grub before version 2:2.06-1 is vulnerable to multiple issues including access restriction bypass and arbitrary code execution. Resolution ========== Upgrade to 2:2.06-1. # pacman -Syu "grub>=2:2.06-1" The problems have been fixed upstream in version 2.06. Workaround ========== None. Description =========== - CVE-2020-14372 (arbitrary code execution) GRUB2 enables the use of the command acpi even when secure boot is signaled by the firmware. An attacker with local root privileges can drop a small SSDT in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT then gets run by the kernel and it overwrites the kernel lockdown configuration enabling the attacker to load unsigned kernel modules and kexec unsigned code. - CVE-2020-25632 (arbitrary code execution) The rmmod implementation for grub2 is flawed, allowing an attacker to unload a module used as a dependency without checking if any other dependent module is still loaded. This leads to a use-after-free scenario possibly allowing an attacker to execute arbitrary code and by-pass Secure Boot protections. - CVE-2020-25647 (arbitrary code execution) grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to bypass the Secure Boot mechanism. - CVE-2020-27749 (arbitrary code execution) grub_parser_split_cmdline() expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution. An attacker may use this to circumvent Secure Boot protections. - CVE-2020-27779 (access restriction bypass) The GRUB2's cutmem command does not honor Secure Boot locking. This allows an privileged attacker to remove address ranges from memory creating an opportunity to circumvent Secure Boot protections after proper triage of grub's memory layout. - CVE-2021-20225 (arbitrary code execution) The option parser in GRUB2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. - CVE-2021-20233 (arbitrary code execution) There's a flaw in GRUB2 menu rendering code setparam_prefix() in the menu rendering code. It performs a length calculation under the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. This allow an attacker to corrupt memory by one byte for each quote in the input. Impact ====== When secure boot is enabled, complete subversion of the integrity prospects can be achieved through malicious use of existing commands, side-loaded modules, command acpi, rmmod, variable referencing and option parsers. References ========== https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e8e4c0549240fa209acffceb473e1e509b50c95 https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=7630ec5397fe418276b360f9011934b8c034936c https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=128c16a682034263eb519c89bc0934eeb6fa8cfa https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6 https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9 https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=2a330dba93ff11bc00eda76e9419bc52b0c7ead6 https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 https://security.archlinux.org/CVE-2020-14372 https://security.archlinux.org/CVE-2020-25632 https://security.archlinux.org/CVE-2020-25647 https://security.archlinux.org/CVE-2020-27749 https://security.archlinux.org/CVE-2020-27779 https://security.archlinux.org/CVE-2021-20225 https://security.archlinux.org/CVE-2021-20233