If you are using Grub2 as your bootloader on your computer let me tell you that you should update it now, as 8 vulnerabilities in this GRUB2 bootloader were recently disclosed, one of which is marked as critical.
The most dangerous of them is the one it finds cataloged with the code name BootHole (CVE-2020 to 10713). This detected vulnerability makes it possible to bypass the UEFI Secure boot mechanism and install malicious software without checking.
The peculiarity of this vulnerability is that, to fix it, it is not enough to update GRUB2, since an attacker can use boot media with an earlier vulnerable version certified by a digital signature. An attacker can compromise the verification process not only for Linux, but also for other operating systems, including Windows.
And the problem is that most Linux distributions use a small layer of shim for verified startup, which is digitally signed by Microsoft.
This layer verifies GRUB2 with its own certificate, allowing distribution developers not to certify every kernel and GRUB upgrade to Microsoft.
By changing the content of grub.cfg, the vulnerability allows your code to run at the post-successful verification stage of shim, but before the operating system loads, snapping into the chain of trust when Secure Boot is Active and gaining full control over the additional boot process, including booting another operating system, modifying the components of the operating system, and avoiding crash protection.
The vulnerability is caused by a buffer overflow that can be exploited to execute arbitrary code during the download process. The vulnerability manifests itself by scanning the contents of the grub.cfg configuration file, which is usually located on an ESP (EFI System Partition) partition and can be edited by an attacker with administrator rights, without violating the integrity of the signed shim and the GRUB2 executables.
By error in the configuration parser code, the fatal parsing error handler YY_FATAL_ERROR only showed a warning, but did not end the program. The danger of vulnerability is reduced by the need for privileged access to the system; however, the problem may be necessary for the implementation of hidden rootkits in the presence of physical access to the computer (if it is possible to boot from its media).
Of the other vulnerabilities that were found:
CVE-2020-14308: Buffer overflow due to size of memory area allocated in grub_malloc not verified.
CVE-2020-14309: integer overflow on grub_squash_read_symlink, which can cause data to be written outside of allocated buffer.
CVE-2020-14310: integer overflow in read_section_from_string, which can cause data to be written out of allocated buffer.
CVE-2020-14311: integer overflow on grub_ext2_read_link, which can cause data to be written outside of allocated buffer.
CVE-2020-15705 - Allows direct boot of unsigned cores in safe boot mode without a sandwiched intermediate layer.
CVE-2020-15706: access to an already freed memory area (use-after-free) when canceling a function at runtime.
CVE-2020-15707: integer overflow in initrd size handler.
Although not everything is lost, since to fix this problem, only an update of the list of revoked certificates (dbx, UEFI Revocation List) should be performed on the system, but in this case, the ability to use old installation with Linux.
Some hardware manufacturers have already included an updated list of revoked certificates in their firmware; On such systems, in UEFI Secure Boot mode, only updated builds of Linux distributions can be loaded.
To correct the vulnerability in the distributions, the installers, boot loaders, kernel packages, fwupd firmware and compatibility layer must also be updated, generating new digital signatures for them.
Users should update the installation images and other bootable media, and download the Certificate Revocation List (dbx) in the UEFI firmware. Until the update of dbx in UEFI, the system remains vulnerable regardless of the installation of updates in the operating system.
Finally, it is reported that patch package updates have been released for Debian, Ubuntu, RHEL and SUSE, and for GRUB2, a set of patches have been released.