Bug 51748 - grub2: Multiple security issues - UEFI-Secure-Boot compromise
grub2: Multiple security issues - UEFI-Secure-Boot compromise
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Philipp Hahn
Julia Bremer
https://www.heise.de/news/UEFI-Secure...
:
: 53801 (view as bug list)
Depends on: 51984 53917
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-30 13:14 CEST by Philipp Hahn
Modified: 2022-07-08 13:17 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2020-07-30 13:14:36 CEST
CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707.

<https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/>

In contrast to Debian our version of GRUB2 in UCS-4.x may be affected by CVE-2020-10713, as our version is patched for Secure Boot.

We need to re-sign our version.

It things go bad Microsoft will revoke our SHIM.
Comment 2 Philipp Hahn univentionstaff 2020-08-03 06:48:05 CEST
Debian 10.5 was released Saturday, which contains a fixed shim, grub2 and Linux kernel; see <https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/> for details.

Quoting from that document: 
> All of the Linux distributions shipping with Microsoft-signed copies of shim have been asked to provide details of the binaries or keys involved to facilitate this process.

Also quoting from <https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916>:
> 12.B Submitter must design and implement a strong revocation mechanism for everything the shim loads, directly and subsequently.

Probably all our current versions of GRUB are vulnerable, so they must all be revoked. shim contains a dbx.esl, which is embedded at build-time. Because of that we need to build a new version and get it signed by MS.
Comment 3 Philipp Hahn univentionstaff 2020-09-07 12:45:30 CEST
1. Import <https://packages.debian.org/search?keywords=grub2&searchon=sourcenames&exact=1&suite=all&section=all> from Debian-9-Buster (or backport the patches? Risk to forget other required changes or doing a patch mistake)

1.1 Make sure to not repeat <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966575>!

2. Also update "base/grub-efi-amd64-signed" with out *old* signature too roll-out a fixed version now - will *not* fix the problem for real, but will allow us to tackle one issue after another and not at the same time.

3. Research if our version is really vulnerable.

3.1 If yes, inform MS to revoke our SHIM - we're obliged to do so!

3.2 Check is we're already included in "dbxupdate_x64.bin".

4. Get a new EV public/private key (and crypto token) - our current on expires 2020-10-01 after 3y!

5. Build a new SHIM with that key.

6. Submit new SHIM to MS for signing - see Bug #45471

7. Re-sign new GRUB with new key

8. Publish new signed SHIM and new re-signed GRUB as errata

8.1 This might brick a system - research recovery procedure beforehand.
Comment 4 Max Pohle univentionstaff 2021-03-08 13:13:24 CET
There were further secure boot weaknesses found in grub2 in march 2021. We should update to a recent grub2 version in order to cover these as well.

Source: https://www.heise.de/news/Grub-2-Acht-neue-Schwachstellen-im-Bootloader-5073481.html
Comment 5 Philipp Hahn univentionstaff 2021-04-15 08:43:10 CEST
Today I received an E-mail from MS, that our SHIM is revoked: they will push this to UEFI.org on April 22nd 2021 and will start publishing updates revocation lists "late Summer 2021".

Customers using UCS on UEFI with SB enabled will then find their systems will no longer boot! The only chance they have will be to disable SB, which might not be allowed by their security policy, rendering their systems broken and all data lost until fixed. Fixing this will require many manual steps; re-installing the system from scratch might be the easier option left, but UCS-5.0-0 will not ship SB capable (Bug #51984).

Old CVE-2020-10713 "BootHole"
    8.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Old CVE-2020-14308 grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow
    6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Old CVE-2020-14309 grub2: Integer overflow in grub_squash_read_symlink may lead to heap based overflow.
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
Old CVE-2020-14310 grub2: Integer overflow read_section_from_string may lead to heap based overflow.
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
Old CVE-2020-14311 grub2: Integer overflow in grub_ext2_read_link leads to heap based buffer overflow
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
Old CVE-2020-15705 grub: avoid loading unsigned kernels when grub is booted directly under secureboot without shim
    6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Old CVE-2020-15706 script: Avoid a use-after-free when redefining a function during execution
    6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Old CVE-2020-15707 grub2: Integer overflow in initrd size handling
    5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
New CVE-2020-14372 grub2: ACPI Secure Boot vulnerability
    7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
New CVE-2020-25632 grub2: use-after-free in rmmod command
    7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
New CVE-2020-25647 grub2: out-of-bound write in grub_usb_device_initialize()
    7.6/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
New CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
    7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
New CVE-2020-27779 grub2: cutmem command allows privileged user to remove memory regions when Secure Boot is enabled
    7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
New CVE-2021-20225 grub2: heap out-of-bounds write in short form option parser
    7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
New CVE-2021-20233 grub2: heap out-of-bound write due to mis-calculation of space required for quoting
    7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Comment 8 Philipp Hahn univentionstaff 2021-09-16 15:50:35 CEST
*** Bug 53801 has been marked as a duplicate of this bug. ***
Comment 9 Philipp Hahn univentionstaff 2021-09-30 14:41:06 CEST
r19425 | Bug #51748: Backport pesign for shim

Package: pesign
Version: 0.112-5A~4.4.0.202109201216
Branch: ucs_4.4-0
Scope: ucs4.4-9

sudo pbuilder create \
 --basetgz ucs_4.4-0-shim44.tgz \
 --distribution buster \
 --architecture i386 \
 --mirror http://debian.knut.univention.de/ \
 --othermirror 'deb [trusted=yes] http://192.168.0.10/build2/ ucs_4.4-0-shim44/all/|deb [trusted=yes] http://192.168.0.10/build2/ ucs_4.4-0-shim44/$(ARCH)/'


"shim-15.4" can only be built with gcc-8, which UCS-4.4 only has gcc-6: gcc-6 complains about several "warnings", which are treated as errors, e.g. tpm.c, include/str.h, …

I have creates the `ucs_4.4-0-shim44` scope, which uses Debian-10-Buster for i386 and UCS-5.0-0 for amd64.
The built shim is loaded even before *GRUB2*, so it does not depend on the installed Linux/Debian/UCS release: the Debian maintainer scripts use no features from Debian-10-Buster.

r19426 | Bug #51748: Backport shim

repo_admin.py -F -p shim -P shim_15.4-7~deb10u1.dsc -r 4.4 -s shim44

Package: shim
Version: 15.4-7~deb10u1A~4.4.0.202109291700
Branch: ucs_4.4-0
Scope: shim44

i386:  /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202109291700.log
amd64: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202109291700.log_amd64_20210929175005.bz2

cd $APT
tar -c -f - ucs_4.4-0-shim44/*/shim* | tar -x -f - -C ucs_4.4-0-ucs4.4-9/ --strip-components=1 -v
repo-apt-ftparchive ucs_4.4-0-ucs4.4-9
repo-check-duplicate-debs2 --delete ucs_4.4-0-ucs4.4-9
Comment 10 Philipp Hahn univentionstaff 2021-10-14 14:58:42 CEST
r19435 | Bug #51748: Adapt shim for UCS-4.4-9

Package: shim
Version: 15.4-7~deb10u1A~4.4.0.202110051737
Branch: ucs_4.4-0
Scope: shim44

i386: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202110051737.log
amd64: /var/univention/buildsystem2/logs/ucs_4.4-0-shim44/shim_15.4-7~deb10u1A~4.4.0.202110051737.log_amd64_20211005174641.bz2

Package: grub-efi-amd64-signed
Version: 3.0.0-3A~4.4.0.202110110950
Branch: ucs_4.4-0
Scope: ucs4.4-9

Package: univention-kernel-image-signed
Version: 5.0.0-19A~4.4.0.202110110957
Branch: ucs_4.4-0
Scope: ucs4.4-9

https://github.com/univention/shim/tree/4.4
https://github.com/univention/shim-review
https://github.com/rhboot/shim-review/issues/213

FIXED-IN-BRANCH `shim44`
Waiting for SHIM review.
Comment 12 Philipp Hahn univentionstaff 2021-10-19 13:21:55 CEST
[phahn/51748shim] 9d49f72dc6 doc[shim] UCS 4.4-9 upgrade
 doc/changelog/release-notes-4.4-9-de.xml | 28 ++++++++++++++++++++++++++++
 doc/changelog/release-notes-4.4-9-en.xml | 28 ++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
Comment 16 Philipp Hahn univentionstaff 2022-02-25 11:45:38 CET
I have contacted "Julian Andres Klode" by private mail and asked for help. He's a fellow German DD working for Canonical and already participated in <https://github.com/rhboot/shim-review/issues/213>
Comment 18 Philipp Hahn univentionstaff 2022-07-08 13:17:20 CEST
It was decided to not do any more UEFI-SB work for UCS-4.4
/close