CVE-2022-2601/CVE-2022-3775: GRUB2 Bootloader Bugs Affect Billions of Devices
Billions of servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution are affected by two GRUB2 bootloader vulnerabilities that can be exploited to circumvent the secure boot mechanism or arbitrary code execution.
A bootloader is a computer program that is responsible for booting a computer. GNU GRUB (GRand Unified Bootloader) is a free and open-source bootloader package developed by the GNU Project. It’s used by the GNU operating system and most Linux distributions.
Tracked as CVE-2022-2601(CVSS score: 6.4), the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could potentially let attackers bypass the Secure Boot feature and install bootkits or malicious bootloaders that would give them control of the targeted device.
“A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write,” the security bulletin explained.
Discovered by researcher Zhang Boyang, CVE-2022-2601 is a buffer overflow vulnerability that affects all versions of GRUB2 and exists in the way it calculates the max_glyph_size value. An attacker may leverage this flaw to cause a buffer overflow and a heap-based out-of-bounds write, further hijacking the machine’s boot process and bypassing Secure Boot protection.
The second issue, tracked as CVE-2022-3775 (CVSS score: 6.3) is a heap-based out-of-bounds write flaw when rendering certain Unicode sequences. Also, the bug was reported by researcher Zhang Boyang.
“When rendering certain unicode sequences, GRUB2’s font code doesn’t properly validate if the informed glyph’s width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into GRUB2’s heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not
be discarded,” read the security bulletin.
The RedHat security team analyzed GRUB2 and classified it as Moderate severity while Ubuntu classified the security hole as having high severity. It also recommended users apply security patches as soon as possible.
