[conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat Aug 1 01:40:16 PDT 2020


Yep, even calling that GRUB2 "boothole" bug a security bug is a fair
bit of a stretch, ... but yeah, sure, security bug.  How so?
Might have to set up relatively contrived circumstances, but yes.
E.g. set up sudo access to give non-root user access to
very selectively edit the grub boot configuration file.
But let's say it's a less than perfect implementation of
least privilege principle.  Does fair bit of sanity check
and say, only lets the person edit one field on one line ...
and, say, that field is pretty well checked ... must start and
end with ", can't contain " or newline within.  A semi-reasonable
check.  But, alas, GRUB2 ... and somebody didn't check - and maybe
in such a sudo capability too - for things that are too or unreasonably
long.  And ... GRUB2 has a buffer overflow exploit in its
handling/parsing of the file.  "Oops".
So, anyway, with our contrivance, taking such together, yes, a
security bug.  Now, how many hundreds of thousands or millions or
more such systems have such a configuration with sudo or the
like that makes that a privilege escalation attack?  Probably
very few.  So ... not much of an issue.  But yes, still (barely) a
security bug ... why?  Because it's something that normally operates
with privilege, and is not doing so as designed/intended ... so ...
that's enough to qualify it as a security bug.  But "severe"? Not
even close.

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't  
> look good...
> Date: Thu, 30 Jul 2020 03:47:33 -0700

> Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
>
>> "severe vulnerability exists in almost all signed versions of GRUB2
>> bootloader"
>> <cough, cough>
>> Bug, sure.  Even a security bug.  But severe?  Come now.
>> So, how many hundreds of thousands, or millions or more,
>> computers have been taken over by bad actors by this
>> "severe" vulnerability.  Oh, a few research computers in a security
>> research lab ...
>> where the researchers were given unrestricted root access on these
>> hosts?  Uh huh.  Tell me again about how "severe" this
>> vulnerability is.
>
> In fact, as with many security news stories in popular-news IP magazines
> and Web sites, they glossed over the fact that this alleged
> vulnerability ('BootHole') doesn't permit any host compromise at all.
> Using it to 'load arbitrary code' requires already being in full control
> of the machine in the first place.  It's only a problem if you seriously
> expect local root users to be kept out of the boot chain.  Which from a
> Unix-ey perspective is a pretty bizarre use-case.
>
> But popular-news IT sources mostly cater to readers who are not used to
> thinking about security, and are ripe for clickbait.
>
>
>> You want severe?  How 'bout something like this:
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902
>> https://www.kb.cert.org/vuls/id/290915
>
> Yeah, 'unauthenticated remote command execution': those are bad words.




More information about the conspire mailing list