Bug 17334 - grub2 new security issue CVE-2015-8370
Summary: grub2 new security issue CVE-2015-8370
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/667756/
Whiteboard: has_procedure advisory mga5-32-ok MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-12-14 23:58 CET by David Walser
Modified: 2015-12-20 10:16 CET (History)
4 users (show)

See Also:
Source RPM: grub2-2.02-0.git9752.18.2.mga5.src.rpm
CVE: CVE-2015-8370
Status comment:


Attachments

Description David Walser 2015-12-14 23:58:39 CET
Fedora has issued an advisory on December 13:
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173703.html

Reproducible: 

Steps to Reproduce:
Comment 1 Barry Jackson 2015-12-15 13:18:17 CET
########################################
Update Advisory

grub2-2.02-0.git9752.18.3.mga5 has been pushed to 5/core/updates_testing

This is patched using the Fedora patch, which makes two very small code changes.

########################################
Description

This is a security update to correct a vulnerability discovered when using the grub2 password.

References:
CVE-2015-8370 (buffer overflow when checking password)
https://bugs.mageia.org/show_bug.cgi?id=17334

########################################
Files affected

grub2-2.02-0.git9752.18.3.mga5.src.rpm

grub2-2.02-0.git9752.18.3.mga5.i586.rpm
grub2-efi-2.02-0.git9752.18.3.mga5.i586.rpm
grub2-mageia-theme-2.02-0.git9752.18.3.mga5.noarch.rpm
grub2-debuginfo-2.02-0.git9752.18.3.mga5.i586.rpm

grub2-2.02-0.git9752.18.3.mga5.x86_64.rpm
grub2-efi-2.02-0.git9752.18.3.mga5.x86_64.rpm
grub2-mageia-theme-2.02-0.git9752.18.3.mga5.noarch.rpm
grub2-debuginfo-2.02-0.git9752.18.3.mga5.x86_64.rpm

#######################################
Testing:
I would suggest that minimal regression testing of password use is all that is needed.

Hardware: i586 => All
CVE: (none) => CVE-2015-8370
Assignee: zen25000 => qa-bugs

Comment 2 David Walser 2015-12-15 13:59:09 CET
Thanks!  Barry, is the patch for this already in Cauldron?

CC: (none) => zen25000

Comment 3 Barry Jackson 2015-12-15 15:30:52 CET
It w(In reply to David Walser from comment #2)
> Thanks!  Barry, is the patch for this already in Cauldron?

No but it will be soon, along with another related, but AFAICT non essential one that won't apply in Mga5.

There have been lots of changes to grub2 in Cauldron since Mga5, so I have only added the CVE patch there as I don't want to risk causing more issues.

I have just installed the Cauldron update locally and I don't see any regressions, however I have never used passwords in grub2 and I would be surprised if this actually affects anyone as it's not a simple job to set up.

See:
https://help.ubuntu.com/community/Grub2/Passwords
Comment 5 Barry Jackson 2015-12-15 17:43:51 CET
Ouch - there are some devious people about :\

So the POC is in the first paragraph.
Comment 6 David Walser 2015-12-15 17:58:40 CET
Advisory:
========================

Updated grub2 packages fix security vulnerability:

A flaw was found in the way the grub2 handled backspace characters entered
in username and password prompts. An attacker with access to the system
console could use this flaw to bypass grub2 password protection and gain
administrative access to the system (CVE-2015-8370).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8370
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
https://rhn.redhat.com/errata/RHSA-2015-2623.html
Comment 7 Barry Jackson 2015-12-15 22:40:46 CET
Using the "Am I vulnerable" test from the second link above in a fully updated Mga5 (UEFI) x86_64 in a VM I could not replicate the original bug, no matter how many back-spaces were entered. YMMV

I tested by doing the following:

To add a superuser password:

1. open /etc/grub.d/40_custom in a root editor and add the lines:

set superusers=myusername
password myusername mypassword
export superusers

2. open /etc/grub.d/10_linux in a root editor and edit line 29 to read:

CLASS="--class gnu-linux --users '' --class gnu --class os"
                         ^^^^^^^^^^  
Note that "--users ''" has been added.

3. run update-grub

Now on reboot you will be asked for username and password after selecting an entry from the boot menu.

To replicate the bug hit backspace 28 times when asked for username and you should be dropped to a grub2 shell or the system should reboot.

After this update from updates_testing it should not drop to shell or reboot.
Comment 8 Ben McMonagle 2015-12-17 10:46:51 CET
(In reply to Barry Jackson from comment #7)
> Using the "Am I vulnerable" test from the second link above in a fully
> updated Mga5 (UEFI) x86_64 in a VM I could not replicate the original bug,
> no matter how many back-spaces were entered. YMMV

in a fully updated Mga5 (UEFI) x86_64 real h/w unable to replicate bug.

I followed below instructions to enable boot password requirement:
> 
> To add a superuser password:
> 
> 1. open /etc/grub.d/40_custom in a root editor and add the lines:
> 
> set superusers=myusername
> password myusername mypassword
> export superusers
> 
> 2. open /etc/grub.d/10_linux in a root editor and edit line 29 to read:
> 
> CLASS="--class gnu-linux --users '' --class gnu --class os"
>                          ^^^^^^^^^^  
> 
> 3. run update-grub

how-ever, I am unable to boot with GRUB2 as user or password is rejected,
I am just passed back to boot menu

CC: (none) => westel

Comment 9 Barry Jackson 2015-12-17 12:37:15 CET
Strange,

However you could try the 28 backspaces before removing the changes to try again. :)

I just followed my instructions to the letter in my main Mga5 system here and it works perfectly. (I actually used an encrypted password to give it more of a test)

Maybe you made a typo? Caps lock?
Comment 10 Dave Hodgins 2015-12-18 04:54:18 CET
I'm using grub rather than grub2 on my main testing system (my other system is still down). I'll just point out this should be tested on both efi and bios firmware systems.

CC: (none) => davidwhodgins

Dave Hodgins 2015-12-18 05:01:17 CET

Whiteboard: (none) => advisory

Comment 11 Barry Jackson 2015-12-18 13:32:32 CET
(In reply to Dave Hodgins from comment #10)
> I'm using grub rather than grub2 on my main testing system (my other system
> is still down).

It takes < 2 mins to switch to grub2 using mcc->boot - same to switch back ;)

> I'll just point out this should be tested on both efi and
> bios firmware systems.

Yes
Comment 12 claire robinson 2015-12-18 16:40:26 CET
Testing complete mga5 32 (Bios system)

Switched to grub2 as in comment 11. Rebooted. Installed updates. Rebooted.

Could do with an EFI test x86_64 before validating.

Whiteboard: advisory => has_procedure advisory mga5-32-ok

Comment 13 James Kerr 2015-12-18 18:15:49 CET
On mga5-64 (EFI)

Installed packages from testing;

grub2-efi-2.02-0.git9752.18.3.mga5
grub2-mageia-theme-2.02-0.git9752.18.3.mga5

Packages installed cleanly. System re-booted normally.

OK for mga5-64 (EFI)

Does this update also need to be tested on a mga5-64 BIOS system?
Comment 14 claire robinson 2015-12-18 18:37:37 CET
if you have one handy to test it on jim yes pls
Comment 15 James Kerr 2015-12-18 19:14:49 CET
On mga5-64 (BIOS)

Switched to Grub2 and rebooted.

Installed packages from testing:

grub2-mageia-theme-2.02-0.git9752.18.3.mga5
grub2-2.02-0.git9752.18.3.mga5

Packages installed cleanly. System re-booted normally.

OK for mga5-64 (BIOS)

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure advisory mga5-32-ok => has_procedure advisory mga5-32-ok MGA5-64-OK

Comment 16 James Kerr 2015-12-18 19:16:08 CET
This update is now validated and can be pushed to updates.
Comment 17 Mageia Robot 2015-12-20 10:16:17 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0480.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.