Red Hat patch vulnerability allows bypassing GRUB2 password testing

Information about vulnerabilities (cve-2023-4001) in patches for the GRUB2 bootloader prepared by Red Hat.

The vulnerability allows circumventing the password check in GRUB2, which limits access to the boot menu or command line of the bootloader, on many systems with UEFI.

This vulnerability is specific to the patches applied by Red Hat to the GRUB2 package supplied to Rhel and Fedora Linux and does not affect the main GRUB2 project.

The vulnerability is caused by an error in the logic of using the UUID to search for a device with a configuration file (e.g., “/boot/EFI/FEDora/GRub.cfg”) containing a password hash.

An attacker can exploit this vulnerability by connecting an external drive, such as a USB flash drive, with a modified UUID to the targeted system, bypassing the authentication process.

UEFI systems often prioritize external drives and list them before stationary drives. Therefore, GRUB2 will attempt to load the configuration file from the attacker’s modified /Boot section.

The “Search” command in GRUB2 stops searching after finding the first match of the UUID, and if the main configuration file is not found, it will display a command line prompt, giving the attacker full control over the boot process.

The UUID of the targeted section can be determined by a local unprivileged user with the help of the “LSBLK” utility.

An outsider, who cannot access the system but can observe the boot process, may be able to determine the UUID from the diagnostic messages displayed during boot in some distributions.

Red Hat has addressed this vulnerability by introducing a new argument to the Search command, ensuring that UUID scanning is limited to the block devices used to start the boot manager. This means that the /Boot section should only be on the same disk as the EFI system section.