Security Vulnerability: Boothole 2022 / Boothole 3
This document (000020668) is provided subject to the disclaimer at the end of this document.
Environment
For a comprehensive list of affected products, please review the mentioned SUSE CVE announcements in this article.
Situation
Grub developers and security researchers have identified more security relevant bugs in the grub2 and shim bootloaders, which could be used by local attackers to circumvent the secure boot chain.
This vulnerability has similar effects and considerations as the original Boothole and Boothole2 issues.
For regular users with their machine under full control this is less of an issue as in scenarios relying on secure boot, like public systems.
This vulnerability has similar effects and considerations as the original Boothole and Boothole2 issues.
For regular users with their machine under full control this is less of an issue as in scenarios relying on secure boot, like public systems.
Resolution
Security issues addressed:
- CVE-2021-3695: A crafted PNG grayscale image may have led to out-of-bounds write in heap.
- CVE-2021-3696: A crafted PNG image may have led to out-of-bound write during huffman table handling.
- CVE-2021-3697: A crafted JPEG image could have led to buffer underflow write in the heap.
These security issues require attackers to supply crafted images to
grub2, which is unlikely in common local scenarios, but can allow
bypassing secure boot chain.
- CVE-2022-28733: Fixed net/ip to do ip fragment maths safely.
If grub2 is loading artefacts from the network, could be used by
man-in-the-middle attackers to execute code. This is an uncommon
scenario.
- CVE-2022-28737: Fixed a buffer overflow in shim.
- CVE-2022-28734: Fixed net/http OOB write for split http headers.
If grub2 is loading artefacts from the network, could be used by
man-in-the-middle attackers to execute code. This is an uncommon
scenario.
- CVE-2022-28735: grub2 verifier framework changes to avoid potential bypasses.
- CVE-2022-28736: Fixed a use-after-free in chainloader command.
SUSE will:
- Switch to a new secure boot signing key for secure boot signed artefacts.
- Release grub2 updates, with incremented SBAT revision on x86_64 and also
signed with the new secure boot key to allow disabling it on IBM Z and
IBM Power.
- Release Linux Kernel Updates signed with the new signing key around June 14
and following days on our regular "second Tuesday of the month" kernel release
time.
- Release various other secure boot signed artefact packages over the next days
and weeks.
- Release new shim version that disallows use of the previous secure boot keys
and also fixes a shim security issue, with incremented SBAT version after
all the previous updates.
References:
grub2 security issues:
- https://www.suse.com/security/cve/CVE-2022-28736
- https://www.suse.com/security/cve/CVE-2022-28735
- https://www.suse.com/security/cve/CVE-2022-28734
- https://www.suse.com/security/cve/CVE-2022-28733
- https://www.suse.com/security/cve/CVE-2021-3697
- https://www.suse.com/security/cve/CVE-2021-3696
- https://www.suse.com/security/cve/CVE-2021-3695
shim security issue:
- https://www.suse.com/security/cve/CVE-2022-28737
- CVE-2021-3695: A crafted PNG grayscale image may have led to out-of-bounds write in heap.
- CVE-2021-3696: A crafted PNG image may have led to out-of-bound write during huffman table handling.
- CVE-2021-3697: A crafted JPEG image could have led to buffer underflow write in the heap.
These security issues require attackers to supply crafted images to
grub2, which is unlikely in common local scenarios, but can allow
bypassing secure boot chain.
- CVE-2022-28733: Fixed net/ip to do ip fragment maths safely.
If grub2 is loading artefacts from the network, could be used by
man-in-the-middle attackers to execute code. This is an uncommon
scenario.
- CVE-2022-28737: Fixed a buffer overflow in shim.
- CVE-2022-28734: Fixed net/http OOB write for split http headers.
If grub2 is loading artefacts from the network, could be used by
man-in-the-middle attackers to execute code. This is an uncommon
scenario.
- CVE-2022-28735: grub2 verifier framework changes to avoid potential bypasses.
- CVE-2022-28736: Fixed a use-after-free in chainloader command.
SUSE will:
- Switch to a new secure boot signing key for secure boot signed artefacts.
- Release grub2 updates, with incremented SBAT revision on x86_64 and also
signed with the new secure boot key to allow disabling it on IBM Z and
IBM Power.
- Release Linux Kernel Updates signed with the new signing key around June 14
and following days on our regular "second Tuesday of the month" kernel release
time.
- Release various other secure boot signed artefact packages over the next days
and weeks.
- Release new shim version that disallows use of the previous secure boot keys
and also fixes a shim security issue, with incremented SBAT version after
all the previous updates.
References:
grub2 security issues:
- https://www.suse.com/security/cve/CVE-2022-28736
- https://www.suse.com/security/cve/CVE-2022-28735
- https://www.suse.com/security/cve/CVE-2022-28734
- https://www.suse.com/security/cve/CVE-2022-28733
- https://www.suse.com/security/cve/CVE-2021-3697
- https://www.suse.com/security/cve/CVE-2021-3696
- https://www.suse.com/security/cve/CVE-2021-3695
shim security issue:
- https://www.suse.com/security/cve/CVE-2022-28737
Status
Security Alert
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020668
- Creation Date: 07-Jun-2022
- Modified Date:30-Aug-2022
-
- SUSE Enterprise Storage
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Real Time
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Manager Server
- SUSE Linux Enterprise Micro
- SUSE Linux Enterprise HPC
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
