GRUB Bootloader Received 73 Patches To Fix A Variety Of Recent Security Issues

  • Thread starter Thread starter Deleted member 155466
  • Start date Start date


Wasn't there a thread about a load of patches from MS recently?
And we make fun of MS yet have the same schema with Linux software.
 
This would be funny in the context of this post:

GRUB issues were published month ago by the way

Personally I never liked GRUB and I am not affected using alternative solution but just leaving distros on their own with this pile of .... is not nice.
 
GRUB (Grand Unified Bootloader) has had several CVEs, including CVE-2020-10713 (BootHole), CVE-2023-4001, and CVE-2022-3675, which address vulnerabilities allowing arbitrary code execution or authentication bypass.
Here's a more detailed breakdown:

CVE-2020-10713 (BootHole):
This vulnerability, discovered in GRUB2, allows attackers to boot untrusted operating systems by exploiting a flaw in how GRUB handles certain bootloader configurations.

CVE-2023-4001:
This vulnerability is an authentication bypass flaw in GRUB due to how it uses device UUIDs to locate configuration files containing password hashes for GRUB password protection.
CVE-2022-3675:
This vulnerability is related to Fedora CoreOS and its use of Butane config for setting a GRUB bootloader password, which could be exploited if the feature is enabled.
Other Vulnerabilities:
There have been other instances of vulnerabilities in GRUB2, including an integer overflow in grub_ext2_read_link that leads to a heap-based buffer overflow (CVE-2020-14311).
Kaspersky Rescue Disk:
A vulnerability in how GRUB2 was used by the Kaspersky Rescue Disk was publicly disclosed in April 2019, leading to Microsoft revoking the vulnerable bootloader across Windows systems.
HPE ProLiant Servers:
Certain HPE ProLiant servers contained a version of GRUB2 signed by a HP CA that allowed the use of the "insmod" command to load unsigned code.
Shim:
Due to legal issues arising from license incompatibilities, open-source projects and other third parties built a small application called a "shim" that contains the vendor's certificate and code that verifies and runs the bootloader (typically GRUB2)
 
What makes you think your alternative, which ever it is, does not have have vulnerabilities?
:) because it is simpler: elilo.
Because GRUB is trying to be Jack of all trades, grew so big and complicated. Your question applies to GRUB more than elilo. In fact this is a reason why GRUB devs are reluctant to apply these patches: they may introduce more issues and some/a lot of GRUB issues may be lurking still/already.

I don't know if elilo has not discovered security issues now. Statistically though GRUB is more prone to the nasty problems.
 
Because GRUB is trying to be Jack of all trades, grew so big and complicated.
From my experience and from what I heard from other coders, software which is more mature and feature rich has the benefit of being more stable due to longer development and more time put into making it complete.

On another side software that just appeared yesterday may have more issues than the older software.
Excluding regression and lack of maintenance which is another issue.

Using this logic I'm in favor of GRUB over newly born or underdeveloped software.
 
Maybe it will make a 'comeback' ?

Debian dropped it in 2014, RH & SUSE stopped using this tree (and feeding back change) long before that. Slackware changed to grub around 2019.

Personally, I have never had a problem with Grub

""The only bit of good news is that the "major Linux distros carry or will carry soon oneform or another of these patches" so the likelihood of exploiting these issues at scale is hopefully minimal.""

Is seventy three mini dramas really such a big deal?....I dont see the entire internet getting their panties in a twist as a result. More of a yawn appears to be the general consensus
 
:) because it is simpler: elilo.
I wouldn't trust software that hasn't had an update in over a year and elilo hasn't had one in longer, also it seems elilo has the status abandoned?
When I was running Arch I used to use systemd-boot but now that I have been running Fedora again for a while I just use what comes with the distribution which is Grub.
 
Todays updates for Linux Mint 22.1 (April 1, 2025) include several updates for CVE type problems.....likely addressing the problems laid out in the link that thop of this thread

I was going to copy/paste them, but forgot.

Plenty of other members here using LM22.1....copy and paste the pertinent updates to here for all to see, Please.

The update will be for Kernel: linux (6.8.0-57.59) noble; urgency=medium

EDIT TO ADD: I found them:

linux (6.8.0-57.59) noble; urgency=medium

* noble/linux: 6.8.0-57.59 -proposed tracker (LP: #2102490)

* CVE-2024-57798
- drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req()

* CVE-2024-56672
- blk-cgroup: Fix UAF in blkcg_unpin_online()

* CVE-2024-56658
- net: defer final 'struct net' free in netns dismantle

* CVE-2024-56598
- jfs: array-index-out-of-bounds fix in dtReadFirst

* CVE-2024-56595
- jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

* CVE-2024-53140
- netlink: terminate outstanding dump on socket close

* CVE-2024-53063
- media: dvbdev: prevent the risk of out of memory access

* CVE-2024-50302
- HID: core: zero-initialize the report buffer
 
Last edited:
Last edited:
See edit to my post ^^^^^...above
 
Last edited:
I can't escape the feeling that, whatever boot loader one is using, if security is even a concern at that point, the vulnerable boot loader is probably the least of one's concerns. If the boot image got hacked, that seems like it's beyond the purview of the boot loader.

On the other hand, I suppose the idea of layered security tells us to make -every- exploit as hard as possible.
 
If the boot image got hacked,

That's what 'secure boot' is meant to solve. In theory, it means you're booting only what you said you'd be booting.

I've never had issues with it but some folks do and not all distros are properly signed for it. It's basically just a key exchange. I think it even uses RSA-2048 which is pretty robust. There have been exploits for this though they mean someone has to have physical access to the device - and there have been exploits to almost every bit of software on your system at one point or another.
 
From my experience and from what I heard from other coders, software which is more mature and feature rich has the benefit of being more stable due to longer development and more time put into making it complete.

On another side software that just appeared yesterday may have more issues than the older software.
Excluding regression and lack of maintenance which is another issue.

Using this logic I'm in favor of GRUB over newly born or underdeveloped software.
Where you and your coders have been when systemd was introduced? ;)
There have been exploits for this though they mean someone has to have physical access to the device - and there have been exploits to almost every bit of software on your system at one point or another.
absolutely
 



Top