GRUB Boot hole
Posted: Wed Jul 29, 2020 3:33 pm
Hi,
I've run into an interesting issue with Grub2. My problem is, the more I read about it, the more bullshit it smells.
Let's start with the facts. Debian reported lots of bugs with Grub2. This includes memory overflow, use-after-free etc. memory problems, but also a nasty security hole because of the overcomplicated grub.cfg. So far everything is reasonable and proved. But for the latter, both DSA and CVE link to a site, which originally reported the Grub2 problem.
It becomes even more interesting, watch this:
Seriously, what's going on? Is this really what it really looks like? <paranoid>An attack against the last loophole to boot Open Source systems with UEFI SB?</paranoid>
It is obvious that a bug in Grub parsing grub.cfg can't affect other boot loaders and it most definitely can't affect the Microsoft Third Party UEFI CA... I've read through the linked site, and there's no answer. They talk about lots of things, including DMA attacks, and Grub2 bugs, but I still can't understand why would anyone conclude that a bug in a particular boot loader undermines the CA? This just makes no sense.
What do you think?
Cheers,
bzt
I've run into an interesting issue with Grub2. My problem is, the more I read about it, the more bullshit it smells.
Let's start with the facts. Debian reported lots of bugs with Grub2. This includes memory overflow, use-after-free etc. memory problems, but also a nasty security hole because of the overcomplicated grub.cfg. So far everything is reasonable and proved. But for the latter, both DSA and CVE link to a site, which originally reported the Grub2 problem.
That site states, I quote:A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at https://www.eclypsium.com/2020/07/29/th ... -the-boot/
What??? Is there any other boot loader that parses grub.cfg at all???The vulnerability affects systems using Secure Boot, even if they are not using GRUB2.
It becomes even more interesting, watch this:
Heh? This is the part that smells (very badly).The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.
Seriously, what's going on? Is this really what it really looks like? <paranoid>An attack against the last loophole to boot Open Source systems with UEFI SB?</paranoid>
It is obvious that a bug in Grub parsing grub.cfg can't affect other boot loaders and it most definitely can't affect the Microsoft Third Party UEFI CA... I've read through the linked site, and there's no answer. They talk about lots of things, including DMA attacks, and Grub2 bugs, but I still can't understand why would anyone conclude that a bug in a particular boot loader undermines the CA? This just makes no sense.
What do you think?
Cheers,
bzt