CVE-2021-3418

Vulnerability

CVE-2021-3418 is a reintroduction of CVE-2020-15705 in grub2 version 2.05, affecting versions prior to 2.06. The flaw resides in the shim_lock mechanism. If certificates that signed GRUB are installed into the db (Secure Boot signature database), GRUB can be booted directly. Subsequently, it will boot any kernel without performing signature validation [1].

Exploitation

An attacker who has physical access or can control the boot process can place a tampered kernel on the system. When the system boots with Secure Boot enabled and the attacker’s certificates are in the db, GRUB will load and execute the tampered kernel without verifying its signature [1].

Impact

Successfully exploited, the booted kernel will believe it was started in Secure Boot mode and will implement Linux's lockdown mechanism, while the kernel itself may have been modified. This undermines the integrity guarantees of Secure Boot, potentially allowing arbitrary code execution at the kernel level with the appearance of a secure, locked-down environment [1].

Mitigation

The issue is fixed in grub2 version 2.06. Users should upgrade to this version or later. If upgrading is not immediately possible, ensure that only trusted certificates are installed in the Secure Boot db and restrict physical access to the system. No workaround is available from the referenced advisory [1].