[SECURITY PATCH 0/6] GRUB2 NTFS driver vulnerabilities - 2023/10/03

[Daniel Kiper <daniel.kiper@oracle.com>]

Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 NTFS driver code recently. The most severe ones, i.e. potentially
exploitable, have CVEs assigned and are listed at the end of this email.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) [1] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [2] too.

I would like to thank Maxim Suhanov for responsible disclosure and preparation
of patches required to fully fix all known issues.

Daniel

[1] https://github.com/rhboot/shim/blob/main/SBAT.md

[2] https://git.savannah.gnu.org/gitweb/?p=grub.git
    https://git.savannah.gnu.org/git/grub.git

*******************************************************************************

CVE-2023-4692 grub2: OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
5.3/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

There is an out-of-bounds write in grub-core/fs/ntfs.c. An attacker may
leverage this vulnerability by presenting a specially crafted NTFS filesystem
image leading to GRUB's heap metadata corruption. Additionally, in some
circumstances, the attack may also corrupt the UEFI firmware heap metadata.
As a result arbitrary code execution and secure boot protection bypass may
be achieved.

Reported-by: Maxim Suhanov

*******************************************************************************

CVE-2023-4693 grub2: OOB read when reading data from the resident $DATA attribute
5.3/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

There is an out-of-bounds read at grub-core/fs/ntfs.c. A physically present
attacker may leverage that by presenting a specially crafted NTFS file system
image to read arbitrary memory locations. A successful attack may allow
sensitive data cached in memory or EFI variables values to be leaked presenting
a high confidentiality risk.

Reported-by: Maxim Suhanov

*******************************************************************************

 grub-core/fs/ntfs.c | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 105 insertions(+), 16 deletions(-)

Maxim Suhanov (6):
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
      fs/ntfs: Fix an OOB read when parsing a volume label
      fs/ntfs: Make code more readable

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel