grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed
From: Daniel Kiper <daniel.kiper@oracle.com>
To: grub-devel@gnu.org
Cc: dfirblog@gmail.com
Subject: [SECURITY PATCH 0/6] GRUB2 NTFS driver vulnerabilities - 2023/10/03
Date: Tue, 3 Oct 2023 19:10:10 +0200	[thread overview]
Message-ID: <ZRxK8s4nQV2jBq/9@tomti.i.net-space.pl> (raw)

Hi all,

This patch set contains a bundle of fixes for various security flaws discovered
in the GRUB2 NTFS driver code recently. The most severe ones, i.e. potentially
exploitable, have CVEs assigned and are listed at the end of this email.

Details of exactly what needs updating will be provided by the respective
distros and vendors when updates become available.

Full mitigation against all CVEs will require updated shim with latest SBAT
(Secure Boot Advanced Targeting) [1] data provided by distros and vendors.
This time UEFI revocation list (dbx) will not be used and revocation of broken
artifacts will be done with SBAT only. For information on how to apply the
latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly
permit known older boot artifacts to boot.

Updated GRUB2, shim and other boot artifacts from all the affected vendors will
be made available when the embargo lifts or some time thereafter.

I am posting all the GRUB2 upstream patches which fix all security bugs found
and reported up until now. Major Linux distros carry or will carry soon one
form or another of these patches. Now all the GRUB2 upstream patches are in
the GRUB2 git repository [2] too.

I would like to thank Maxim Suhanov for responsible disclosure and preparation
of patches required to fully fix all known issues.

Daniel

[1] https://github.com/rhboot/shim/blob/main/SBAT.md

[2] https://git.savannah.gnu.org/gitweb/?p=grub.git
    https://git.savannah.gnu.org/git/grub.git

*******************************************************************************

CVE-2023-4692 grub2: OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
5.3/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

There is an out-of-bounds write in grub-core/fs/ntfs.c. An attacker may
leverage this vulnerability by presenting a specially crafted NTFS filesystem
image leading to GRUB's heap metadata corruption. Additionally, in some
circumstances, the attack may also corrupt the UEFI firmware heap metadata.
As a result arbitrary code execution and secure boot protection bypass may
be achieved.

Reported-by: Maxim Suhanov

*******************************************************************************

CVE-2023-4693 grub2: OOB read when reading data from the resident $DATA attribute
5.3/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

There is an out-of-bounds read at grub-core/fs/ntfs.c. A physically present
attacker may leverage that by presenting a specially crafted NTFS file system
image to read arbitrary memory locations. A successful attack may allow
sensitive data cached in memory or EFI variables values to be leaked presenting
a high confidentiality risk.

Reported-by: Maxim Suhanov

*******************************************************************************

 grub-core/fs/ntfs.c | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 105 insertions(+), 16 deletions(-)

Maxim Suhanov (6):
      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
      fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute
      fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
      fs/ntfs: Fix an OOB read when parsing a volume label
      fs/ntfs: Make code more readable

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

             reply	other threads:[~2023-10-03 17:10 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-03 17:10 Daniel Kiper [this message]
2023-10-03 17:12 ` [SECURITY PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for " Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label Daniel Kiper
2023-10-03 17:12 ` [SECURITY PATCH 6/6] fs/ntfs: Make code more readable Daniel Kiper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZRxK8s4nQV2jBq/9@tomti.i.net-space.pl \
    --to=daniel.kiper@oracle.com \
    --cc=dfirblog@gmail.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).