The GRUB bootloader saw a set of 73 patches last month for addressing a variety of security flaws that were discovered.
Flying under the radar until now was a set of 73 patches needed in February to address a number of security issues, several of which were issued CVEs for the potentially exploitable security woes.
While public one month and the patches were committed to the GRUB Git codebase, no new tagged GRUB version has yet to be published. In fact, no new GRUB releases since the GRUB 2.12 release already 15 months ago.
These GRUB security patches were only raised on my radar today with the GNU Boot 0.1 RC6 release. The new GNU Boot release candidate calls attention to the multiple security issues facing GRUB and thus they updated their included copy of GRUB with the necessary security patches. Among the GRUB security issues potentially impacting the GNU Boot users:
“Users having replaced the GNU Boot picture / logo with untrusted pictures could have been affected if the pictures they used were specially crafted to exploit a vulnerability in GRUB and take full control of the computer. In general it’s a good idea to avoid using untrusted pictures in GRUB or other boot software to limit such risks because software can have bugs (a similar issue also happened in a free software UEFI implementation).
Users having implemented various user-respecting flavor(s) of secure-boot, either by using GPG signatures and/or by using a GRUB password combined with full disk encryption are also affected as these security vulnerabilities could enable people to bypass secure-boot schemes.
In addition there are also security vulnerabilities in file systems, which also enable execution of code. When booting, GRUB has to load files (like the Linux or linux-libre kernel) that are executed anyway. But in some cases, it could still affect users.
This could happen when trying to boot from an USB key, and also having another USB key that has a file system that was crafted to take control of the computer.”
The 73 patches can be found on the GRUB mailing list along with more details on the issues for those interested. The issues range from out-of-bounds writes to integer overflows, the dump command now being in lockdwon mode when using Secure Boot, and other issues.
The only bit of good news is that the “major Linux distros carry or will carry soon oneform or another of these patches” so the likelihood of exploiting these issues at scale is hopefully minimal. Today’s GNU Boot announcement does note that some free software Linux distributions endorsed by the FSF are not comfortable in using GRUB Git snapshots and thus still vulnerable:
“For most 100% free distributions, using GRUB from git would be a significant effort in testing and/or in packaging.
We notified Trisquel, Parabola and Guix and the ones who responded are not comfortable with updating GRUB to a not-yet released git revision. Though in the case of Parabola nothing prevent adding a new grub-git package that has no known vulnerabilities in addition to the existing grub package, so patches for that are welcome.”
Hopefully GRUB will be able to improve their release process as a side effect of these issues.
