CVE-2024-2312

Vulnerability

A vulnerability in the GRUB2 bootloader (CVE-2024-2312) affects Debian/Ubuntu systems using the peimage module. When GRUB2 exits, it does not call module fini functions, leaving the peimage module's UEFI system table hooks active. This results in a use-after-free condition because the memory for the hooks is freed but the pointers remain. The issue is present in signed GRUB2 binaries in Ubuntu Mantic and likely other versions that include the faulty peimage module [1].

Exploitation

An attacker with local access to the system (e.g., booted into the GRUB command line) can trigger the vulnerability by issuing the exit command. This causes GRUB to exit back to the UEFI firmware, but the leftover hooks lead to an exception. The reference crash shows an invalid opcode (#UD) and a stack trace indicating the hooks are pointing to freed memory. No user interaction beyond the exit command is required, but the attacker must have physical or console access to execute GRUB commands [1].

Impact

Successful exploitation leads to a denial of service (system crash) and, more critically, could allow an attacker to bypass Secure Boot. The use-after-free condition might be leveraged to execute arbitrary code in the UEFI context, defeating the Secure Boot chain. However, the public description and reference do not provide a concrete proof-of-concept for Secure Boot bypass [1].

Mitigation

Ubuntu has addressed the issue in a fix for Ubuntu Mantic by reverting the faulty change in the peimage module. Affected users should update their GRUB2 packages to the latest version. As of the publication date (2024-04-05), the fix is available through Ubuntu's package repositories. No workarounds are mentioned in the reference; the primary mitigation is to install the patched GRUB2 [1].