Hi all, This patch set contains a bundle of fixes for various security flaws discovered in the GRUB2 NTFS driver code recently. The most severe ones, i.e. potentially exploitable, have CVEs assigned and are listed at the end of this email.
Details of exactly what needs updating will be provided by the respective distros and vendors when updates become available. Full mitigation against all CVEs will require updated shim with latest SBAT (Secure Boot Advanced Targeting) [1] data provided by distros and vendors. This time UEFI revocation list (dbx) will not be used and revocation of broken artifacts will be done with SBAT only. For information on how to apply the latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly permit known older boot artifacts to boot. Updated GRUB2, shim and other boot artifacts from all the affected vendors will be made available when the embargo lifts or some time thereafter. I am posting all the GRUB2 upstream patches which fix all security bugs found and reported up until now. Major Linux distros carry or will carry soon one form or another of these patches. Now all the GRUB2 upstream patches are in the GRUB2 git repository [2] too. I would like to thank Maxim Suhanov for responsible disclosure and preparation of patches required to fully fix all known issues. Daniel [1] https://github.com/rhboot/shim/blob/main/SBAT.md [2] https://git.savannah.gnu.org/gitweb/?p=grub.git https://git.savannah.gnu.org/git/grub.git ******************************************************************************* CVE-2023-4692 grub2: OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file 5.3/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N There is an out-of-bounds write in grub-core/fs/ntfs.c. An attacker may leverage this vulnerability by presenting a specially crafted NTFS filesystem image leading to GRUB's heap metadata corruption. Additionally, in some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result arbitrary code execution and secure boot protection bypass may be achieved. Reported-by: Maxim Suhanov ******************************************************************************* CVE-2023-4693 grub2: OOB read when reading data from the resident $DATA attribute 5.3/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N There is an out-of-bounds read at grub-core/fs/ntfs.c. A physically present attacker may leverage that by presenting a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack may allow sensitive data cached in memory or EFI variables values to be leaked presenting a high confidentiality risk. Reported-by: Maxim Suhanov ******************************************************************************* grub-core/fs/ntfs.c | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 105 insertions(+), 16 deletions(-) Maxim Suhanov (6): fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes fs/ntfs: Fix an OOB read when parsing a volume label fs/ntfs: Make code more readable _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
