Univention Bugzilla – Bug 51748
grub2: Multiple security issues - UEFI-Secure-Boot compromise
Last modified: 2022-07-08 13:17:20 CEST
CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707. <https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/> In contrast to Debian our version of GRUB2 in UCS-4.x may be affected by CVE-2020-10713, as our version is patched for Secure Boot. We need to re-sign our version. It things go bad Microsoft will revoke our SHIM.
Debian 10.5 was released Saturday, which contains a fixed shim, grub2 and Linux kernel; see <https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/> for details. Quoting from that document: > All of the Linux distributions shipping with Microsoft-signed copies of shim have been asked to provide details of the binaries or keys involved to facilitate this process. Also quoting from <https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916>: > 12.B Submitter must design and implement a strong revocation mechanism for everything the shim loads, directly and subsequently. Probably all our current versions of GRUB are vulnerable, so they must all be revoked. shim contains a dbx.esl, which is embedded at build-time. Because of that we need to build a new version and get it signed by MS.
1. Import <https://packages.debian.org/search?keywords=grub2&searchon=sourcenames&exact=1&suite=all§ion=all> from Debian-9-Buster (or backport the patches? Risk to forget other required changes or doing a patch mistake) 1.1 Make sure to not repeat <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966575>! 2. Also update "base/grub-efi-amd64-signed" with out *old* signature too roll-out a fixed version now - will *not* fix the problem for real, but will allow us to tackle one issue after another and not at the same time. 3. Research if our version is really vulnerable. 3.1 If yes, inform MS to revoke our SHIM - we're obliged to do so! 3.2 Check is we're already included in "dbxupdate_x64.bin". 4. Get a new EV public/private key (and crypto token) - our current on expires 2020-10-01 after 3y! 5. Build a new SHIM with that key. 6. Submit new SHIM to MS for signing - see Bug #45471 7. Re-sign new GRUB with new key 8. Publish new signed SHIM and new re-signed GRUB as errata 8.1 This might brick a system - research recovery procedure beforehand.
There were further secure boot weaknesses found in grub2 in march 2021. We should update to a recent grub2 version in order to cover these as well. Source: https://www.heise.de/news/Grub-2-Acht-neue-Schwachstellen-im-Bootloader-5073481.html
Today I received an E-mail from MS, that our SHIM is revoked: they will push this to UEFI.org on April 22nd 2021 and will start publishing updates revocation lists "late Summer 2021". Customers using UCS on UEFI with SB enabled will then find their systems will no longer boot! The only chance they have will be to disable SB, which might not be allowed by their security policy, rendering their systems broken and all data lost until fixed. Fixing this will require many manual steps; re-installing the system from scratch might be the easier option left, but UCS-5.0-0 will not ship SB capable (Bug #51984). Old CVE-2020-10713 "BootHole" 8.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Old CVE-2020-14308 grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Old CVE-2020-14309 grub2: Integer overflow in grub_squash_read_symlink may lead to heap based overflow. 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H Old CVE-2020-14310 grub2: Integer overflow read_section_from_string may lead to heap based overflow. 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H Old CVE-2020-14311 grub2: Integer overflow in grub_ext2_read_link leads to heap based buffer overflow 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H Old CVE-2020-15705 grub: avoid loading unsigned kernels when grub is booted directly under secureboot without shim 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Old CVE-2020-15706 script: Avoid a use-after-free when redefining a function during execution 6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Old CVE-2020-15707 grub2: Integer overflow in initrd size handling 5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H New CVE-2020-14372 grub2: ACPI Secure Boot vulnerability 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H New CVE-2020-25632 grub2: use-after-free in rmmod command 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H New CVE-2020-25647 grub2: out-of-bound write in grub_usb_device_initialize() 7.6/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H New CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H New CVE-2020-27779 grub2: cutmem command allows privileged user to remove memory regions when Secure Boot is enabled 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H New CVE-2021-20225 grub2: heap out-of-bounds write in short form option parser 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H New CVE-2021-20233 grub2: heap out-of-bound write due to mis-calculation of space required for quoting 7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
*** Bug 53801 has been marked as a duplicate of this bug. ***
r19425 | Bug #51748: Backport pesign for shim Package: pesign Version: 0.112-5A~4.4.0.202109201216 Branch: ucs_4.4-0 Scope: ucs4.4-9 sudo pbuilder create \ --basetgz ucs_4.4-0-shim44.tgz \ --distribution buster \ --architecture i386 \ --mirror http://debian.knut.univention.de/ \ --othermirror 'deb [trusted=yes] http://192.168.0.10/build2/ ucs_4.4-0-shim44/all/|deb [trusted=yes] http://192.168.0.10/build2/ ucs_4.4-0-shim44/$(ARCH)/' "shim-15.4" can only be built with gcc-8, which UCS-4.4 only has gcc-6: gcc-6 complains about several "warnings", which are treated as errors, e.g. tpm.c, include/str.h, … I have creates the `ucs_4.4-0-shim44` scope, which uses Debian-10-Buster for i386 and UCS-5.0-0 for amd64. The built shim is loaded even before *GRUB2*, so it does not depend on the installed Linux/Debian/UCS release: the Debian maintainer scripts use no features from Debian-10-Buster. r19426 | Bug #51748: Backport shim repo_admin.py -F -p shim -P shim_15.4-7~deb10u1.dsc -r 4.4 -s shim44 Package: shim Version: 15.4-7~deb10u1A~4.4.0.202109291700 Branch: ucs_4.4-0 Scope: shim44 i386: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202109291700.log amd64: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202109291700.log_amd64_20210929175005.bz2 cd $APT tar -c -f - ucs_4.4-0-shim44/*/shim* | tar -x -f - -C ucs_4.4-0-ucs4.4-9/ --strip-components=1 -v repo-apt-ftparchive ucs_4.4-0-ucs4.4-9 repo-check-duplicate-debs2 --delete ucs_4.4-0-ucs4.4-9
r19435 | Bug #51748: Adapt shim for UCS-4.4-9 Package: shim Version: 15.4-7~deb10u1A~4.4.0.202110051737 Branch: ucs_4.4-0 Scope: shim44 i386: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202110051737.log amd64: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202110051737.log_amd64_20211005174641.bz2 Package: grub-efi-amd64-signed Version: 3.0.0-3A~4.4.0.202110110950 Branch: ucs_4.4-0 Scope: ucs4.4-9 Package: univention-kernel-image-signed Version: 5.0.0-19A~4.4.0.202110110957 Branch: ucs_4.4-0 Scope: ucs4.4-9 https://github.com/univention/shim/tree/4.4 https://github.com/univention/shim-review https://github.com/rhboot/shim-review/issues/213 FIXED-IN-BRANCH `shim44` Waiting for SHIM review.
https://hutten.knut.univention.de/blog/uefi-secure-boot-sbat/
[phahn/51748shim] 9d49f72dc6 doc[shim] UCS 4.4-9 upgrade doc/changelog/release-notes-4.4-9-de.xml | 28 ++++++++++++++++++++++++++++ doc/changelog/release-notes-4.4-9-en.xml | 28 ++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+)
https://etherpad-lite.knut.univention.de/etherpad/p/uefi-secure-boot
https://help.univention.com/t/uefi-secure-boot-updates/18778
I have contacted "Julian Andres Klode" by private mail and asked for help. He's a fellow German DD working for Canonical and already participated in <https://github.com/rhboot/shim-review/issues/213>
It was decided to not do any more UEFI-SB work for UCS-4.4 /close