[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4e7d1ac7-f933-4ec8-95a2-df95100988e7@oracle.com>
Date: Tue, 18 Feb 2025 11:06:19 -0800
From: Jan Setje-Eilers <Jan.SetjeEilers@...cle.com>
To: oss-security@...ts.openwall.com
Subject: GRUB CVE disclosures
On February 18th at 10am PST the following CVEs were disclosed to the
public via this message sent to grub-devel:
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
You may expect the CVEs to go public in the various databases in the
coming hours.
1) CVE-2024-45774: reader/jpeg: Heap OOB Write during JPEG parsing.
2) CVE-2024-45775: commands/extcmd: Missing check for failed allocation.
3) CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OO
Write and Read.
4) CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB
Write.
5) CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser.
6) CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read
(Write?) in the BFS parser.
7) CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write.
8) CVE-2024-45781: fs/ufs: OOB write in the heap.
9) CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382)
10) CVE-2024-45783: fs/hfs+: refcount can be decremented twice
11) CVE-2025-0622: command/gpg: Use-after-free due to hooks not being
removed on module unload
12) CVE-2025-0624: net: Out-of-bounds write in
grub_net_search_config_file()
13) CVE-2025-0677: UFS: Integer overflow may lead to heap based
out-of-bounds write when handling symlinks
14) CVE-2025-0678: squash4: Integer overflow may lead to heap based
out-of-bounds write when reading data
15) CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may
lead to heap based out-of-bounds write when reading
data
16) CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead
to heap based out-of-bounds write when reading data
17) CVE-2025-0686: romfs: Integer overflow when handling symlinks may
lead to heap based out-of-bounds write when reading
data
18) CVE-2025-0689: udf: Heap based buffer overflow in
grub_udf_read_block() may lead to arbitrary code
execution
19) CVE-2025-0690: read: Integer overflow may lead to out-of-bounds
write
20) CVE-2025-1118: commands/dump: The dump command is not in lockdown
when secure boot is enabled
21) CVE-2025-1125: fs/hfs: Integer overflow may lead to heap based
out-of-bounds write
Fixes for these CVEs have been made public at the same time.
There will be an upstream shim release in the near future that publishes
updated Sbat revocations that will allow older GRUBs to be revoked. This
shim release does not involve any CVEs, and new shims do not need to be
coupled to this GRUB disclosure. For information on how to deliver
revocations, please see:
https://github.com/rhboot/shim/blob/main/Delivering_Sbat_Revocations.md
Detailed evaluations including scores follow:
1) CVE-2024-45774: reader/jpeg: Heap OOB Write during JPEG parsing.
Extra SOF0 marker in JPEG file may lead to a out-of-bounds write. An
attacker may leverage this by crafting a malicious JPEG file, leading
the grub's JPEG parser to fail the bounds checking in its internal
buffer resulting in a out-of-bounds memory write. The possibility of
overwriting sensitve information in order to bypass secure boot
protections are not discarded.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7
2) CVE-2024-45775: commands/extcmd: Missing check for failed allocation.
In grub_extcmd_dispatcher() function grub2 calls grub_arg_list_alloc()
to allocate memory for the grub's argument list, however it misses to
check in case the memory allocation failed. Once the allocation
failed, a NULL point will be processed by the parse_option() function
leading grub to crash or in some rare scenarios corrupt the IVT data.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H - 5.2
3) CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OOB
Write and Read.
When reading language .mo file in grub_mofile_open(), grub2 fails to
verify to a integer overflow when allocating its internal buffer. A
crafted .mo file may lead to the buffer size calculation to overflow
leading to Out-of-bound reads and writes. An attacker may leverage
this flaw to leak sensitive data or overwrite critical data possibly
leading to the circumvention of secure boot protections.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7
4) CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB
Write.
The calculation of the translation buffer when reading a language .mo
file in grub_gettext_getstr_from_position() may overflow leading to a
Out-of-bound write. This may be leveraged by an attacker to overwrite
senstive grub2's heap data, eventually leading to the circumvention of
secure boot protections
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7
5) CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser.
There's a stack overflow when reading a BFS file system. A crafted BFS
filesystem may lead to a uncontrolled loop causing grub2 to crash
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H - 4.1
6) CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read
(Write?) in the BFS parser.
There's an integer overflow in the BFS file system driver. When
reading a file with indirect extent map grub2 fails to validate the
number of extent entries to be read. A crafted or corrupted BFS
filesystem may cause a integer overflow during the file reading,
leading to a Heap Ouf-of-Bounds read. As consequence sensitive data
may be leaked or the grub2 to crash.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N - 4.1
7) CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write.
When reading tar files, grub2 allocates an internal buffer for the
file name however it fails to properly verify the allocation against
possible Integer Overflows. It's possible to cause the allocation
length to overflow with a crafted tar file leading to a head
Out-of-bounds write, as consequence an attacker may leverage this to
eventually circumvent secure boot protections.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7
8) CVE-2024-45781: fs/ufs: OOB write in the heap.
When reading a symbolic link's name from a UFS filesystem, grub2 fails
to validate the string length taken as an input. The lack of
validation may lead to a heap Out-of-bounds write, causing data
integrity issues and eventually allowing an attacker to circumvent
secure boot protections.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7
9) CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382)
When reading a HFS volume's name at grub_fs_mount(), the HFS
filesystem driver performs a strcpy() using the user provided volume
name as input without proper validating the volume name's length.
This may read to a heap based Out-of-bounds write, impacting on grub's
sensitive data integrity and eventually leading to secure boot
protection bypass.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.7
10) CVE-2024-45783: fs/hfs+: refcount can be decremented twice
When failing to mount a HFS+ grub hfsplus filesystem driver doesn't
properly set a ERRNO value. This may lead to a NULL pointer access
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H - 4.4
11) CVE-2025-0622 : command/gpg: Use-after-free due to hooks not being
removed on module unload
In some scenarios hooks created by loaded modules are not being
removed when the related module is being unloaded. An attacker may
leverage this by forcing the grub2 to call the hooks once the module
which registered it was unloaded, leading to a Use-after-free
vulnerability. If correctly exploited this vulnerability may result
int Arbitrary Code Execution eventually allowing the attacker to
by-pass secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
12) CVE-2025-0624 : net: Out-of-bounds write in
grub_net_search_config_file()
During the network boot process when trying to search for the
configuration file, grub copies data from a user controlled
environment variable into an internal buffer using grub_strcpy()
function. During this step it fails to consider the environment
variable length when allocating the internal buffer, resulting in a
out-of-bounds write. If correctly exploited this issue may result in
remote code execution through the same network segment the grub is
searching for the boot information, which can be used to by-pass
secure boot protections.
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H - 7.5 (I have considered
AV:A as I believe the attacker should be at least in the same network
segment as the targeted machine, unless someone tries to expose his
netboot through the internet)
13) CVE-2025-0677 : UFS: Integer overflow may lead to heap based
out-of-bounds write when handling symlinks
When performing a symlink lookup the grub's UFS module check the
inode's data size to allocate the internal buffer for reading the file
content however it misses to check if the symlink data size has
overflown. If that happens grub_malloc() may be called with a smaller
value than needed, as consequence when further reading the data from
disk into the buffer grub_ufs_lookup_symlink() function will write
past the end of the allocated size. An attack may leverage that by
crafting a malicious filesystem and as a result it will corrupt data
stored in the heap, it's possible that arbitrary code execution may be
achieved through it and to be used to by-pass secure boot mechanisms.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
14) CVE-2025-0678: squash4: Integer overflow may lead to heap based
out-of-bounds write when reading data
When reading data from a squash4 filesystem, grub's squash4 fs module
uses user-controlled parameters from the filesystem geometry to
determine the internal buffers size, however it misses to properly
check for integer overflows. A maliciouly crafted filesystem may lead
some of those buffer size calculation to overflow, causing it to
perform a grub_malloc() operation with a smaller size than
expected. As a result the direct_read() will perform a heap based
out-of-bounds write during data reading. This flaw may be leveraged to
corrupt grub's internal critical data and may result in arbitrary code
execution by-passing secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
15) CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may
lead to heap based out-of-bounds write when reading data
When performing a symlink lookup from a reiserfs filesystem, grub's
reiserfs fs module uses user-controlled parameters from the filesystem
geometry to determine the internal buffers size, however it misses to
properly check for integer overflows. A maliciouly crafted filesystem
may lead some of those buffer size calculation to overflow, causing it
to perform a grub_malloc() operation with a smaller size than
expected. As a result the grub_reiserfs_read_symlink() will call
grub_reiserfs_read_real() with a overflown length parameter leading to
a heap based out-of-bounds write during data reading. This flaw may be
leveraged to corrupt grub's internal critical data and may result in
arbitrary code execution by-passing secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
16) CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead
to heap based out-of-bounds write when reading data
When reading data from a jfs filesystem, grub's jfs filesystem module
uses user-controlled parameters from the filesystem geometry to
determine the internal buffers size, however it misses to properly
check for integer overflows. A maliciouly crafted filesystem may lead
some of those buffer size calculation to overflow, causing it to
perform a grub_malloc() operation with a smaller size than
expected. As a result the grub_jfs_lookup_symlink() function will
write past of the internal buffer length during
grub_jfs_read_file(). This flaw may be leveraged to corrupt grub's
internal critical data and may result in arbitrary code execution
by-passing secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
17) CVE-2025-0686: romfs: Integer overflow when handling symlinks may
lead to heap based out-of-bounds write when reading data
When performing a symlink lookup from a romfs filesystem, grub's romfs
filesystem module uses user-controlled parameters from the filesystem
geometry to determine the internal buffers size, however it misses to
properly check for integer overflows. A maliciouly crafted filesystem
may lead some of those buffer size calculation to overflow, causing it
to perform a grub_malloc() operation with a smaller size than
expected. As a result the grub_romfs_read_symlink() may cause a
out-of-bounds writes when calling grub_disk_read() function. This flaw
may be leveraged to corrupt grub's internal critical data and may
result in arbitrary code execution by-passing secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
18) CVE-2025-0689: udf: Heap based buffer overflow in
grub_udf_read_block() may lead to arbitrary code execution
When reading data from disk, the grub's UDF filesystem module utilizes
the user controlled data length metadata to allocate its internal
buffers. In certain scenarios, while iterating through disk sectors,
it assumes the read size from the disk is always smaller than the
allocated buffer size which is not guaranteed. A crafted filesystem
image may lead to a heap-based buffer overflow resulting in critical
data to be corrupted, resulting in the risk of arbitrary code
execution by-passing secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
19) CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write
The read command is used to read the keyboard input from the user,
while reads it keeps the input length in a 32-bit integer value which
is further used to reallocate the line buffer to accept the next
character. During this process, with a line big enough it's possible
to make this variable to overflow leading to a out-of-bounds write in
the heap based buffer. This flaw may be leveraged to corrupt grub's
internal critical data and secure boot bypass is not discarded as
consequence.
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H - 6.1
20) CVE-2025-1118: commands/dump: The dump command is not in lockdown
when secure boot is enabled
The grub's dump command is not blocked when grub is in lockdown
mode. This allows the user to read any memory information, an attacker
may leverage that in order to extract signatures, salts and other
sensitive information from the memory.
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - 4.4
21) CVE-2025-1125: fs/hfs: Integer overflow may lead to heap based
out-of-bounds write
When reading data from a hfs filesystem, grub's hfs filesystem module
uses user-controlled parameters from the filesystem metadata to
calculate the internal buffers size, however it misses to properly
check for integer overflows. A maliciouly crafted filesystem may lead
some of those buffer size calculation to overflow, causing it to
perform a grub_malloc() operation with a smaller size than
expected. As a result the hfsplus_open_compressed_real() function will
write past of the internal buffer length. This flaw may be leveraged
to corrupt grub's internal critical data and may result in arbitrary
code execution by-passing secure boot protections.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - 6.4
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
