|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2020-07-29 18:47:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
A long list of GRUB2 secure-boot holes
Several vulnerabilities have been disclosed in the GRUB2 bootloader; they
enable the circumvention of the UEFI secure boot mechanism and the
persistent installation of hostile software. Fixing the problem is not just
a matter of getting a new GRUB2 installation, unfortunately.
"It is important to note that updating the exploitable
binaries does not in fact mitigate the CVE, since an attacker could
bring an old, exploitable, signed copy of a grub binary onto a system
with whatever kernel they wished to load. In order to mitigate, the
UEFI Revocation List (dbx) must be updated on a system. Once the UEFI
Revocation List is updated on a system, it will no longer boot
binaries that pre-date these fixes. This includes old install media."
Several vulnerabilities have been disclosed in the GRUB2 bootloader; they
enable the circumvention of the UEFI secure boot mechanism and the
persistent installation of hostile software. Fixing the problem is not just
a matter of getting a new GRUB2 installation, unfortunately.
"It is important to note that updating the exploitable
binaries does not in fact mitigate the CVE, since an attacker could
bring an old, exploitable, signed copy of a grub binary onto a system
with whatever kernel they wished to load. In order to mitigate, the
UEFI Revocation List (dbx) must be updated on a system. Once the UEFI
Revocation List is updated on a system, it will no longer boot
binaries that pre-date these fixes. This includes old install media."
