Grub2: grub2-set-bootflag can be abused by local (pseudo-)users

Vulnerability

A flaw in the grub2-set-bootflag utility, part of the grub2 package, was introduced when fixing CVE-2019-14865. The program creates a temporary file with new grubenv content and renames it to the original grubenv file. If the process is killed before the rename, the temporary file remains. Affected versions include grub2 on Red Hat Enterprise Linux 9 and Fedora systems. The issue is documented in references [1], [2], [3], and [4].

Exploitation

An attacker with local access can repeatedly invoke the SUID grub2-set-bootflag binary and use signals (e.g., SIGKILL) to kill it during the window between temporary file creation and rename. Each invocation leaves an orphaned temporary file in /boot. Repeated exploitation consumes available inodes and disk blocks, eventually causing file creation to fail for other processes [3][4].

Impact

Successful exploitation results in denial of service due to filesystem exhaustion. The /boot partition becomes full, preventing system updates, kernel installations, or any operation requiring file creation in that partition. No privilege escalation or data confidentiality is compromised [3].

Mitigation

Red Hat has released updated packages to address this issue. Fixed versions are included in RHSA-2024:2456 and RHSA-2024:3184 [1][2]. Users should update grub2 to the latest patched version. For systems that cannot be immediately updated, monitoring /boot free inodes and blocks can alert administrators to potential abuse. No workaround completely prevents the issue [3].