Security Vulnerability: Boothole 2022 / Boothole 3

This document (000020668) is provided subject to the disclaimer at the end of this document.

Environment

For a comprehensive list of affected products, please review the mentioned SUSE CVE announcements in this article.

Situation

Grub developers and security researchers have identified more security relevant bugs in the grub2 and shim bootloaders,  which could be used by local attackers to circumvent the secure boot chain.

This vulnerability has similar effects and considerations as the original Boothole and Boothole2 issues.

For regular users with their machine under full control this is less of an issue as in scenarios relying on secure boot, like public systems.

Resolution

Security issues addressed:

- CVE-2021-3695: A crafted PNG grayscale image may have led to out-of-bounds write in heap.
- CVE-2021-3696: A crafted PNG image may have led to out-of-bound write during huffman table handling.
- CVE-2021-3697: A crafted JPEG image could have led to buffer underflow write in the heap.

  These security issues require attackers to supply crafted images to
  grub2, which is unlikely in common local scenarios, but can allow
  bypassing secure boot chain.

- CVE-2022-28733: Fixed net/ip to do ip fragment maths safely.

  If grub2 is loading artefacts from the network, could be used by
  man-in-the-middle attackers to execute code. This is an uncommon
  scenario.

- CVE-2022-28737: Fixed a buffer overflow in shim.

- CVE-2022-28734: Fixed net/http OOB write for split http headers.

  If grub2 is loading artefacts from the network, could be used by
  man-in-the-middle attackers to execute code. This is an uncommon
  scenario.

- CVE-2022-28735: grub2 verifier framework changes to avoid potential bypasses.
- CVE-2022-28736: Fixed a use-after-free in chainloader command.

SUSE will:

- Switch to a new secure boot signing key for secure boot signed artefacts.

- Release grub2 updates, with incremented SBAT revision on x86_64 and also
  signed with the new secure boot key to allow disabling it on IBM Z and
  IBM Power.

- Release Linux Kernel Updates signed with the new signing key around June 14
  and following days on our regular "second Tuesday of the month" kernel release
  time.

- Release various other secure boot signed artefact packages over the next days
  and weeks.

- Release new shim version that disallows use of the previous secure boot keys
  and also fixes a shim security issue, with incremented SBAT version after 
  all the previous updates.

References:

grub2 security issues:

- https://www.suse.com/security/cve/CVE-2022-28736
- https://www.suse.com/security/cve/CVE-2022-28735
- https://www.suse.com/security/cve/CVE-2022-28734
- https://www.suse.com/security/cve/CVE-2022-28733
- https://www.suse.com/security/cve/CVE-2021-3697
- https://www.suse.com/security/cve/CVE-2021-3696
- https://www.suse.com/security/cve/CVE-2021-3695

shim security issue:

- https://www.suse.com/security/cve/CVE-2022-28737

Status

Security Alert

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020668
  • Creation Date: 08-Jun-2022
  • Modified Date:08-Jun-2022
    • SUSE Enterprise Storage
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Real Time
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Manager Server
    • SUSE Linux Enterprise Micro
    • SUSE Linux Enterprise HPC

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center