Multiple New Security Issues Hit GRUB Bootloader Around Secure Boot

Last summer the GRUB bootloader was impacted by "BootHole" with security issues hitting its UEFI Secure Boot support while today a new round of vulnerabilities were made public.

A new set of GRUB2 security vulnerabilities were made public today affecting its UEFI Secure Boot support. A set of eight CVEs were issued in 2020 and this year for the new issues. The issues include the possibility of specially crafted ACPI tables being loaded even if Secure Boot is active, memory corruption in GRUB's menu rendering, use-after-free in rmmod functionality, the cutmem command allowing privileged users to disable certain memory regions and in turn Secure Boot protections, arbitrary code execution even if Secure Boot is enabled, GRUB 2.05 accidentally re-introducing one of last year's vulnerabilities, and memory corruption from crafted USB device descriptors that could lead to arbitrary code execution.

Today's set of vulnerabilities is another set of nasty issues if relying on Secure Boot and for GRUB's reputation around security issues. The major Linux distributions are in the process of releasing updated GRUB2 signed builds.

More details on these 2021 GRUB security issues via the Ubuntu Wiki.