On Friday, February 9th, 2024 at 5:36 PM, Frantisek Rysanek <[email protected]> wrote:
> > Article: Critical Boot Loader Vulnerability in Shim Impacts Nearly All > > Linux Distros > > Link: > > https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html > > > > May I know if Shim is an important component of GNU Grub? > > This is what the Shim does: > https://github.com/rhboot/shim#shim-a-first-stage-uefi-bootloader > > Disclaimer: I am no expert on Grub or Shim or security. > So my superficial reading of the message is: > > If you happen to netboot (PXEboot) using HTTP to transport your > kernel+initrd, > AND you have SecureBoot enabled, meaning that you rely on it for > security, > AND you're therefore using the Shim, to sign on the fly your kernel > or whatever binaries you need to chainload off the LAN, > ... THEN you are susceptible to the CVE, where the attacker (pulling > off a MITM) can meticulously craft a binary payload, knowing the > inner workings of the Shim, to execute his own arbitrary code, as > part of the Shim. > > Color me illterate... isn't the assumed background scenario > 1) rare > 2) offering other, much simpler ways of attack, once you're in the > MITM position, such as providing your own kernel and initrd, > effectively booting your own OS in the first place? > > If you have someone capable of a MITM inside your LAN, don't you have > a much more serious problem in the first place? > > I am no expert on this scenario, and I feel judgemental in my > possibly unfounded opinion. Corrections are welcome. > > If I understand this correctly: > > - Linux distroes booting from local disk, in legacy or UEFI mode, > UEFI with or without SecureBoot, are not affected > > - machines PXE-booting without SecureBoot (in legacy or UEFI mode) > are not affected > > Except that booting without SecureBoot especially over the network > maybe offers other, more serious vectors of attack. > > Overall, somehow I don't see anybody panic. > > Side note: I am not exactly sure, if this is specific to Grub. Grub > indeed seems capable of PXE-booting with UEFI support, and uses the > Shim in disk-based UEFI boot first and foremost. Not sure if iPXE is > also affected. I don't know if the Shim including the CVE is present > in iPXE, or can be combined with iPXE explicitly. > > Frank Sounds too complicated for me to understand. I gave up. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore
