Revealed information about 8 vulnerabilities in the GRUB2 boot loader that bypass the UEFI Secure Boot mechanism and cause unverified code to run, for example, injecting malware that runs at the bootloader or kernel level.
Recall that most Linux distributions use a small shim layer for verified boot in UEFI Secure Boot mode, which is digitally signed by Microsoft. This layer verifies GRUB2 with its own certificate, which allows distribution developers not to certify every kernel and GRUB update to Microsoft. Vulnerabilities in GRUB2 allow you to achieve the execution of your code at the stage after successful shim verification, but before the operating system is loaded, wedging into the chain of trust when Secure Boot is active and gaining full control over the further boot process, including loading another OS, modifying operating system components system and bypass Lockdown protection.
As in the case of last year’s BootHole vulnerability, updating the bootloader is not enough to block the problem, since an attacker, regardless of the operating system used, can use bootable media with an old vulnerable version of GRUB2, certified with a digital signature, to compromise UEFI Secure Boot. The problem can be solved only by updating the Certificate Revocation List (dbx, UEFI Revocation List), but in this case the ability to use the old Linux installation media will be lost. To speed up the distribution of revoked certificates in the future, it is planned to use the mechanism SBAT (UEFI Secure Boot Advanced Targeting), support which is implemented for GRUB2, shim and fwupd.
On systems with firmware, in which the list of revoked certificates has been updated, only updated assemblies of Linux distributions can be loaded in UEFI Secure Boot mode. Distributions will need to update installers, boot loaders, kernel packages, fwupd firmware and shim layer by generating new digital signatures for them. Users will need to update the installation images and other bootable media, and download the Certificate Revocation List (dbx) into the UEFI firmware. Until the dbx update in UEFI, the system remains vulnerable regardless of the installation of updates in the OS. You can check the remediation status at these pages: Ubuntu , SUSE , RHEL , Debian .
Identified vulnerabilities: