D
GRUB Bootloader Received 73 Patches To Fix A Variety Of Recent Security Issues
CaffeineAddict
Well-Known Member
Wasn't there a thread about a load of patches from MS recently?
And we make fun of MS yet have the same schema with Linux software.
And we make fun of MS yet have the same schema with Linux software.
Aristarchus
Active Member
This would be funny in the context of this post:
au.lifehacker.com
Yes, I know.......Microsoft.
However, many members still run the windows OS...usually as a dual boot. In which case they are vulnerable
if you must use that OS, stay alert.
HTH
GRUB issues were published month ago by the way
cybersecuritynews.com
Personally I never liked GRUB and I am not affected using alternative solution but just leaving distros on their own with this pile of .... is not nice.
Microsoft's Latest Update Patches 57 Security Vulnerabilities
Microsoft's latest Patch Tuesday update includes fixes for seven zero-day exploits.
au.lifehacker.com
Yes, I know.......Microsoft.
However, many members still run the windows OS...usually as a dual boot. In which case they are vulnerable
if you must use that OS, stay alert.
HTH
GRUB issues were published month ago by the way
GRUB2 Vulnerabilities Exposes Millions of Linux Systems to Cyber Attack
A critical set of 20 vulnerabilities in GRUB2 the ubiquitous bootloader underpinning most Linux distributions and Unix-like systems has exposed.
cybersecuritynews.com
Personally I never liked GRUB and I am not affected using alternative solution but just leaving distros on their own with this pile of .... is not nice.
CaffeineAddict
Well-Known Member
What makes you think your alternative, which ever it is, does not have have vulnerabilities?
GRUB (Grand Unified Bootloader) has had several CVEs, including CVE-2020-10713 (BootHole), CVE-2023-4001, and CVE-2022-3675, which address vulnerabilities allowing arbitrary code execution or authentication bypass.
Here's a more detailed breakdown:
CVE-2020-10713 (BootHole):
This vulnerability, discovered in GRUB2, allows attackers to boot untrusted operating systems by exploiting a flaw in how GRUB handles certain bootloader configurations.
CVE-2023-4001:
This vulnerability is an authentication bypass flaw in GRUB due to how it uses device UUIDs to locate configuration files containing password hashes for GRUB password protection.
CVE-2022-3675:
This vulnerability is related to Fedora CoreOS and its use of Butane config for setting a GRUB bootloader password, which could be exploited if the feature is enabled.
Other Vulnerabilities:
There have been other instances of vulnerabilities in GRUB2, including an integer overflow in grub_ext2_read_link that leads to a heap-based buffer overflow (CVE-2020-14311).
Kaspersky Rescue Disk:
A vulnerability in how GRUB2 was used by the Kaspersky Rescue Disk was publicly disclosed in April 2019, leading to Microsoft revoking the vulnerable bootloader across Windows systems.
HPE ProLiant Servers:
Certain HPE ProLiant servers contained a version of GRUB2 signed by a HP CA that allowed the use of the "insmod" command to load unsigned code.
Shim:
Due to legal issues arising from license incompatibilities, open-source projects and other third parties built a small application called a "shim" that contains the vendor's certificate and code that verifies and runs the bootloader (typically GRUB2)
Here's a more detailed breakdown:
CVE-2020-10713 (BootHole):
This vulnerability, discovered in GRUB2, allows attackers to boot untrusted operating systems by exploiting a flaw in how GRUB handles certain bootloader configurations.
CVE-2023-4001:
This vulnerability is an authentication bypass flaw in GRUB due to how it uses device UUIDs to locate configuration files containing password hashes for GRUB password protection.
CVE-2022-3675:
This vulnerability is related to Fedora CoreOS and its use of Butane config for setting a GRUB bootloader password, which could be exploited if the feature is enabled.
Other Vulnerabilities:
There have been other instances of vulnerabilities in GRUB2, including an integer overflow in grub_ext2_read_link that leads to a heap-based buffer overflow (CVE-2020-14311).
Kaspersky Rescue Disk:
A vulnerability in how GRUB2 was used by the Kaspersky Rescue Disk was publicly disclosed in April 2019, leading to Microsoft revoking the vulnerable bootloader across Windows systems.
HPE ProLiant Servers:
Certain HPE ProLiant servers contained a version of GRUB2 signed by a HP CA that allowed the use of the "insmod" command to load unsigned code.
Shim:
Due to legal issues arising from license incompatibilities, open-source projects and other third parties built a small application called a "shim" that contains the vendor's certificate and code that verifies and runs the bootloader (typically GRUB2)
Aristarchus
Active Member
because it is simpler: elilo.Because GRUB is trying to be Jack of all trades, grew so big and complicated. Your question applies to GRUB more than elilo. In fact this is a reason why GRUB devs are reluctant to apply these patches: they may introduce more issues and some/a lot of GRUB issues may be lurking still/already.
I don't know if elilo has not discovered security issues now. Statistically though GRUB is more prone to the nasty problems.
CaffeineAddict
Well-Known Member
From my experience and from what I heard from other coders, software which is more mature and feature rich has the benefit of being more stable due to longer development and more time put into making it complete.
On another side software that just appeared yesterday may have more issues than the older software.
Excluding regression and lack of maintenance which is another issue.
Using this logic I'm in favor of GRUB over newly born or underdeveloped software.
Condobloke
Well-Known Member
Maybe it will make a 'comeback' ?
Debian dropped it in 2014, RH & SUSE stopped using this tree (and feeding back change) long before that. Slackware changed to grub around 2019.
Personally, I have never had a problem with Grub
""The only bit of good news is that the "major Linux distros carry or will carry soon oneform or another of these patches" so the likelihood of exploiting these issues at scale is hopefully minimal.""
Is seventy three mini dramas really such a big deal?....I dont see the entire internet getting their panties in a twist as a result. More of a yawn appears to be the general consensus
Debian dropped it in 2014, RH & SUSE stopped using this tree (and feeding back change) long before that. Slackware changed to grub around 2019.
Personally, I have never had a problem with Grub
""The only bit of good news is that the "major Linux distros carry or will carry soon oneform or another of these patches" so the likelihood of exploiting these issues at scale is hopefully minimal.""
Is seventy three mini dramas really such a big deal?....I dont see the entire internet getting their panties in a twist as a result. More of a yawn appears to be the general consensus
I wouldn't trust software that hasn't had an update in over a year and elilo hasn't had one in longer, also it seems elilo has the status abandoned?
ELILO: EFI Linux Boot Loader - Browse /elilo at SourceForge.net
ELILO was the legacy EFI linux boot loader for IA-64(IPF), IA-32(x86),
sourceforge.net
OP
Deleted member 155466
Guest
I really didn't know about the existence of LILO, until today I have always used GRUB2 and I have rarely had problems.
LILO (bootloader) - Wikipedia
Condobloke
Well-Known Member
Todays updates for Linux Mint 22.1 (April 1, 2025) include several updates for CVE type problems.....likely addressing the problems laid out in the link that thop of this thread
I was going to copy/paste them, but forgot.
Plenty of other members here using LM22.1....copy and paste the pertinent updates to here for all to see, Please.
The update will be for Kernel: linux (6.8.0-57.59) noble; urgency=medium
EDIT TO ADD: I found them:
linux (6.8.0-57.59) noble; urgency=medium
* noble/linux: 6.8.0-57.59 -proposed tracker (LP: #2102490)
* CVE-2024-57798
- drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req()
* CVE-2024-56672
- blk-cgroup: Fix UAF in blkcg_unpin_online()
* CVE-2024-56658
- net: defer final 'struct net' free in netns dismantle
* CVE-2024-56598
- jfs: array-index-out-of-bounds fix in dtReadFirst
* CVE-2024-56595
- jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
* CVE-2024-53140
- netlink: terminate outstanding dump on socket close
* CVE-2024-53063
- media: dvbdev: prevent the risk of out of memory access
* CVE-2024-50302
- HID: core: zero-initialize the report buffer
I was going to copy/paste them, but forgot.
Plenty of other members here using LM22.1....copy and paste the pertinent updates to here for all to see, Please.
The update will be for Kernel: linux (6.8.0-57.59) noble; urgency=medium
EDIT TO ADD: I found them:
linux (6.8.0-57.59) noble; urgency=medium
* noble/linux: 6.8.0-57.59 -proposed tracker (LP: #2102490)
* CVE-2024-57798
- drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req()
* CVE-2024-56672
- blk-cgroup: Fix UAF in blkcg_unpin_online()
* CVE-2024-56658
- net: defer final 'struct net' free in netns dismantle
* CVE-2024-56598
- jfs: array-index-out-of-bounds fix in dtReadFirst
* CVE-2024-56595
- jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
* CVE-2024-53140
- netlink: terminate outstanding dump on socket close
* CVE-2024-53063
- media: dvbdev: prevent the risk of out of memory access
* CVE-2024-50302
- HID: core: zero-initialize the report buffer
Last edited:
CaffeineAddict
Well-Known Member
In Debian it was fixed in Trixie
Last edited:
Condobloke
Well-Known Member
See edit to my post ^^^^^...above
CaffeineAddict
Well-Known Member
Actually not, the backport does not fix those CVE's
But a possible solution is to backport myself.
edit:
Here is CVE list:
Here is the latest available:
Run
apt policy grub2-common to see installed and available version
Last edited:
I can't escape the feeling that, whatever boot loader one is using, if security is even a concern at that point, the vulnerable boot loader is probably the least of one's concerns. If the boot image got hacked, that seems like it's beyond the purview of the boot loader.
On the other hand, I suppose the idea of layered security tells us to make -every- exploit as hard as possible.
On the other hand, I suppose the idea of layered security tells us to make -every- exploit as hard as possible.
That's what 'secure boot' is meant to solve. In theory, it means you're booting only what you said you'd be booting.
I've never had issues with it but some folks do and not all distros are properly signed for it. It's basically just a key exchange. I think it even uses RSA-2048 which is pretty robust. There have been exploits for this though they mean someone has to have physical access to the device - and there have been exploits to almost every bit of software on your system at one point or another.
Aristarchus
Active Member
Where you and your coders have been when systemd was introduced?
absolutely
