<div dir="auto"><div>Protecting from people with physical access to the device is... something very few people care much about except vendors who want to keep you from accessing you own device. Hell, the whole existence of signed bootloaders make just complicates our lives.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Aug 1, 2020, 1:42 AM Michael Paoli <<a href="mailto:Michael.Paoli@cal.berkeley.edu">Michael.Paoli@cal.berkeley.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yep, even calling that GRUB2 "boothole" bug a security bug is a fair<br>
bit of a stretch, ... but yeah, sure, security bug. How so?<br>
Might have to set up relatively contrived circumstances, but yes.<br>
E.g. set up sudo access to give non-root user access to<br>
very selectively edit the grub boot configuration file.<br>
But let's say it's a less than perfect implementation of<br>
least privilege principle. Does fair bit of sanity check<br>
and say, only lets the person edit one field on one line ...<br>
and, say, that field is pretty well checked ... must start and<br>
end with ", can't contain " or newline within. A semi-reasonable<br>
check. But, alas, GRUB2 ... and somebody didn't check - and maybe<br>
in such a sudo capability too - for things that are too or unreasonably<br>
long. And ... GRUB2 has a buffer overflow exploit in its<br>
handling/parsing of the file. "Oops".<br>
So, anyway, with our contrivance, taking such together, yes, a<br>
security bug. Now, how many hundreds of thousands or millions or<br>
more such systems have such a configuration with sudo or the<br>
like that makes that a privilege escalation attack? Probably<br>
very few. So ... not much of an issue. But yes, still (barely) a<br>
security bug ... why? Because it's something that normally operates<br>
with privilege, and is not doing so as designed/intended ... so ...<br>
that's enough to qualify it as a security bug. But "severe"? Not<br>
even close.<br>
<br>
> From: "Rick Moen" <<a href="mailto:rick@linuxmafia.com" target="_blank" rel="noreferrer">rick@linuxmafia.com</a>><br>
> Subject: Re: [conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't <br>
> look good...<br>
> Date: Thu, 30 Jul 2020 03:47:33 -0700<br>
<br>
> Quoting Michael Paoli (<a href="mailto:Michael.Paoli@cal.berkeley.edu" target="_blank" rel="noreferrer">Michael.Paoli@cal.berkeley.edu</a>):<br>
><br>
>> "severe vulnerability exists in almost all signed versions of GRUB2<br>
>> bootloader"<br>
>> <cough, cough><br>
>> Bug, sure. Even a security bug. But severe? Come now.<br>
>> So, how many hundreds of thousands, or millions or more,<br>
>> computers have been taken over by bad actors by this<br>
>> "severe" vulnerability. Oh, a few research computers in a security<br>
>> research lab ...<br>
>> where the researchers were given unrestricted root access on these<br>
>> hosts? Uh huh. Tell me again about how "severe" this<br>
>> vulnerability is.<br>
><br>
> In fact, as with many security news stories in popular-news IP magazines<br>
> and Web sites, they glossed over the fact that this alleged<br>
> vulnerability ('BootHole') doesn't permit any host compromise at all.<br>
> Using it to 'load arbitrary code' requires already being in full control<br>
> of the machine in the first place. It's only a problem if you seriously<br>
> expect local root users to be kept out of the boot chain. Which from a<br>
> Unix-ey perspective is a pretty bizarre use-case.<br>
><br>
> But popular-news IT sources mostly cater to readers who are not used to<br>
> thinking about security, and are ripe for clickbait.<br>
><br>
><br>
>> You want severe? How 'bout something like this:<br>
>> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902" rel="noreferrer noreferrer" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902</a><br>
>> <a href="https://www.kb.cert.org/vuls/id/290915" rel="noreferrer noreferrer" target="_blank">https://www.kb.cert.org/vuls/id/290915</a><br>
><br>
> Yeah, 'unauthenticated remote command execution': those are bad words.<br>
<br>
<br>
_______________________________________________<br>
conspire mailing list<br>
<a href="mailto:conspire@linuxmafia.com" target="_blank" rel="noreferrer">conspire@linuxmafia.com</a><br>
<a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="noreferrer noreferrer" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br>
</blockquote></div></div></div>