Уязвимость BootHole в загрузчике GRUB2

Олег

  • 31 июля 2020
Virus

Специалисты из компании Eclypsium обнаружили уязвимость переполнения буфера в конфигурационном файле загрузчика GRUB2, который используется при загрузке Windows, Linux, MacOS. Кроме того под удар попали серверные системы, ядра и гипервизоры. Информация была опубликована 29 июля 2020 года, по согласованию с поставщиками операционных систем и производителями компьютеров. Уязвимость позволяет выполнить при загрузке произвольный код.

Примечание админа: не спешите обновляться, почитайте о проблемах ниже.

Даже необязательный протокол безопасной загрузки UEFI Secure Boot не спасает, потому как не все производители догадались добавить проверку цифровой подписи конфигурационного файла grub.cfg.

Уязвимость была названа CVE-2020-10713 “GRUB2: crafted grub.cfg file can lead to arbitrary code execution during boot process” с рейтингом CVSS 8.2 (High). После этого в загрузчике было выявлено ещё 7 подобных уязвимостей.

  • CVE-2020-14308 - переполнение буфера из-за отсутствия проверки размера выделяемой области памяти в grub_malloc;
  • CVE-2020-14309 - целочисленное переполнение в grub_squash_read_symlink, которое может привести к записи данных за пределами выделенного буфера;
  • CVE-2020-14310 - целочисленное переполнение вread_section_from_string, которое может привести к записи данных за пределами выделенного буфера;
  • CVE-2020-14311 - целочисленное переполнение в grub_ext2_read_link, которое может привести к записи данных за пределами выделенного буфера;
  • CVE-2020-15705 - позволяет загружать неподписанные ядра при прямой загрузке в режиме Secure Boot без прослойки shim;
  • CVE-2020-15706 - обращение к уже освобождённой области памяти (use-after-free) при переопределении функции во время выполнения;
  • CVE-2020-15707 - целочисленное переполнение в обработчике размера initrd.

Кроме того, HPE пишут об одновременной исправлении похожей уязвимости CVE-2020-7205.

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf04020en_us

Ссылки

https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

Theres-a-Hole-in-the-Boot.pdf

Не спешите обновляться!

Проблема решается обновлением списка отозванных сертификатов — dbx UEFI Revocation List, но это приводит к невозможности загрузки со старых установочных образов и операционных систем.

https://www.opennet.ru/opennews/art.shtml?num=53460

Некоторые производители уже включили в прошивки обновлённый список отозванных сертификатов, и админы уже прочувствовали боль. Админы RHEL 8 и CentOS 8 столкнулись с проблемами после обновления, ось перестала загружаться. На некоторых серверах HPE ProLiant (HPE ProLiant XL230k Gen1 без UEFI Secure Boot) не взлетел RHEL 8.2.

https://bugzilla.redhat.com/show_bug.cgi?id=1861977

https://bugzilla.redhat.com/show_bug.cgi?id=1862045

Проблемы и с загрузкой RHEL 7, CentOS 7, Ubuntu, Debian.

https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889509

https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889509/comments/6

Обновление

Компания HPE 6 августа 2020 г. сообщила, что в результате анализа была выявлена ещё одна уязвимость в загрузчике GRUB2, исправление запланировано на конец августа:

Additional GRUB2 vulnerabilities was found in the GRUB2 development cycle. An update is planned for late August.

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf04019en_us

Список уязвимых серверов HPE:

  • HPE Cloudline CL3100 Gen9 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL5200 Gen9 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL5800 Gen9 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE ProLiant BL460c Gen9 Server Blade IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant BL660c Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL20 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL60 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL80 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL120 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL160 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL180 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL360 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL380 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL560 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL580 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML10 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML30 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML110 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML150 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML350 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL170r Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL190r Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL230a Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL385 Gen10 Plus server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL325 Gen10 Plus server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL220n Gen10 Plus Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL250a Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL260a Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL290n Gen10 Plus Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL450 Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL730f Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL740f Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL750f Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 480 Gen9 Compute Module IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 620 Gen9 Compute Module IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 660 Gen9 Compute Module IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 680 Gen9 Compute Module IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • ProLiant SE2160w Gen9 Server IP - Gen9 - Prior to 2.81, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL580 Gen8 Server IP - Gen8 - Prior to 1.72. SPP - Prior to Gen8.1. Scripting ToolKit - Prior to 11.40
  • HPE Apollo 4200 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Cloudline CL2100 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL2200 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL2600 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL2800 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL3100 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL3150 Gen10 Server (AMD) All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL4100 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE Cloudline CL5800 Gen10 Server All Linux OS with GRUB2 - Patch from Linux OS Vendor
  • HPE ProLiant MicroServer Gen10 IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Apollo 2000 Gen10 Plus System IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant BL460c Gen10 Server Blade IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL20 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL120 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL160 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL180 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL325 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL360 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL380 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL385 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL560 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DL580 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML30 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML110 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant ML350 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL170r Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL190r Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL230k Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL270d Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL450 Gen10 Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 480 Gen10 Compute Module IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 660 Gen10 Compute Module IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE Synergy 480 Gen10 Plus Compute Module IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant MicroServer Gen10 Plus IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant XL925g Gen10 Plus 1U 4-node Configure-to-order Server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant DX385 Gen10 Plus server IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant m750 Server Blade IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant m510 Server Cartridge IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant m710x Server Blade IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant m710x-L Server Blade IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant e910 Server Blade IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE ProLiant e910t Server Blade IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, SPP - Prior to 2020.03. Scripting ToolKit - Prior to 11.40
  • HPE SmartStart Scripting Toolkit Software Prior to 11.40 - For Linux only
  • HPE Service Pack for ProLiant Prior to v2020.03
  • Intelligent Provisioning IP - Gen10 and Gen10 Plus Servers - v3.30.213 or earlier, v3.31, v3.40, Gen9 Prior to v2.81, Gen8 - Prior to 1.72
  • HPE NonStop Virtual TapeServer (VTS) VTS is affected in Linux 6 (module patch)
  • HPE Superdome Flex Server Version 3.25.46 May 12 2020 (or earlier)

Теги

💰 Поддержать проект

 

Похожие материалы

Bitvise SSH Server для Windows

Олег

SSH
Bitvise SSH Server (WinSSHD) — SSH-сервер, разработанный специально для Windows. Позволяет на Windows машине организовать сервер Secure Shell Handling 2 (SSH2) и Secure FTP (SFTP). Отличается большим количеством настроек. Бесплатно для частного использования при выборе версии Personal Edition, но с ограничениями.

Теги

Почитать