Multiple New Security Issues Hit GRUB Bootloader Around Secure Boot

Written by Michael Larabel in Linux Security on 2 March 2021 at 02:30 PM EST. 24 Comments
LINUX SECURITY
Last summer the GRUB bootloader was impacted by "BootHole" with security issues hitting its UEFI Secure Boot support while today a new round of vulnerabilities were made public.

A new set of GRUB2 security vulnerabilities were made public today affecting its UEFI Secure Boot support. A set of eight CVEs were issued in 2020 and this year for the new issues. The issues include the possibility of specially crafted ACPI tables being loaded even if Secure Boot is active, memory corruption in GRUB's menu rendering, use-after-free in rmmod functionality, the cutmem command allowing privileged users to disable certain memory regions and in turn Secure Boot protections, arbitrary code execution even if Secure Boot is enabled, GRUB 2.05 accidentally re-introducing one of last year's vulnerabilities, and memory corruption from crafted USB device descriptors that could lead to arbitrary code execution.

Today's set of vulnerabilities is another set of nasty issues if relying on Secure Boot and for GRUB's reputation around security issues. The major Linux distributions are in the process of releasing updated GRUB2 signed builds.

More details on these 2021 GRUB security issues via the Ubuntu Wiki.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week