dChan
Anonymous ID: ed79cf Aug. 3, 2021, 8:10 p.m. No.14264781   🗄️.is 🔗kun

https://www.grc.com/sn/sn-778.htm

 

First, as regards the buffer overflow, UEFI does ​not​ employ address space layout randomization,

data execution prevention, or any of the other common exploit mitigation protections that have

fortunately become standard in operating systems. This means that weaponizing this buffer

overflow will be trivial for attackers who already have a foothold on the targeted computer to

exploit the flaw. From there, the protections many people expect to prevent boot kits from

taking hold can be readily bypassed.

 

We talked about this before, but it’s worth noting that, thankfully, the Secure Boot system was

understood to require some form of truly effective revocation mechanism. So every UEFI system

which supports Secure Boot contains a pair of protected databases; the “Allow DB” (db) lists

approved components, and the “Disallow DB” (dbx) contains a list of known vulnerable or

malicious components, including firmware, drivers, and bootloaders. So what this means is that

all previously vulnerable boot loading components, GRUB2 and anything else that might be

found, will need to be explicitly added to every single trusted motherboard UEFI system.

But wait, there’s more!…

 

In response to Eclypsium’s initial vulnerability report, the GRUB2 code came under additional —

and, as it turns out, very much needed scrutiny — and a distressing number of additional

vulnerabilities were then discovered by the Canonical security team:

 

  • CVE-2020-14308 GRUB2: grub_malloc does not validate allocation size allowing for

arithmetic overflow and subsequent heap-based buffer overflow

  • CVE-2020-14309 GRUB2: Integer overflow in grub_squash_read_symlink may lead to heap

based overflow

  • CVE-2020-14310 GRUB2: Integer overflow read_section_from_string may lead to heap

based overflow

  • CVE-2020-14311 GRUB2: Integer overflow in grub_ext2_read_link leads to heap based

buffer overflow

  • CVE-2020-15705 GRUB2: avoid loading unsigned kernels when grub is booted directly under

secureboot without shim

  • CVE-2020-15706 GRUB2 script: Avoid a use-after-free when redefining a function during

execution

  • CVE-2020-15707 GRUB2: Integer overflow in initrd size handling.