It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-020 advisory.

  - A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may     take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent     secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform     some triage over the heap layout to achieve signifcant results, also the values written into the memory     are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2     versions prior grub-2.12. (CVE-2021-3695)

  - A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may     lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be     considered Low as it's very complex to an attacker control the encoding and positioning of corrupted     Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This     flaw affects grub2 versions prior grub-2.12. (CVE-2021-3696)

  - A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data     to be written in heap. To a successful to be performed the attacker needs to perform some triage over the     heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data     corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions     prior grub-2.12. (CVE-2021-3697)

  - A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong     permission set allowing non privileged users to read its content. This represents a low severity     confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg.
    This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no     version with the fix is currently released. (CVE-2021-3981)

  - A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an     overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph,     this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this     vulnerability to circumvent the secure boot mechanism. (CVE-2022-2601)

  - When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed     glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input     which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability     issues. Although complex, arbitrary code execution could not be discarded. (CVE-2022-3775)

  - grub2: Integer underflow in grub_net_recv_ip4_packets (CVE-2022-28733)

  - grub2: Out-of-bound write when handling split HTTP headers (CVE-2022-28734)

  - grub2: shim_lock verifier allows non-kernel files to be loaded (CVE-2022-28735)

  - grub2: use-after-free in grub_cmd_chainloader() (CVE-2022-28736)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2023 : grub2-common, grub2-efi-aa64, grub2-efi-aa64-cdboot (ALAS2023-2023-020)

high Nessus Plugin ID 173192

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Jan 17, 2024, 2:38 PM CVSS metrics ("CVSSv3 score" set to 8.6. "CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H") CVSSv3 score source (changed from "CVE-2022-28734" to "CVE-2022-2601") Plugin Feed: 202401171438
Version 1.2 Jul 31, 2023, 2:04 PM CVSS metrics ("CVSSv3 score" changed from 8.6 to 9.8. "CVSSv3 vector" changed from "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSSv3 score source (changed from "CVE-2022-2601" to "CVE-2022-28734") Plugin Feed: 202307311404
Version 1.1 May 25, 2023, 3:03 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202305251503
Version 1.0 Mar 22, 2023, 12:14 AM New Plugin Feed: 202303220014