CVE-2022-2601 A buffer overflow was found in grub_font_construct_glyph()

A malicious signed pf2 font can be hosted on the system, and when grub loads the pf2 font during the grub-install or grub-floppy open, then it will fail. A careful look at the pf2 font will reveal the nature of the issue. An example pf2 font is below, notice the location of the buffer overflow.

An attacker can also modify the grub configuration file and set an insecurely generated pf2 font, this will work too.
This issue can be exploited on any Linux distribution using grub1, including Ubuntu, Debian, Linux Mint, Elementary OS, etc. Red Hat Enterprise Linux, CentOS, Oracle Linux, etc are also vulnerable.
This issue affects users of any operating system that use grub1. However, due to the grub-installer framework being present in most Linux distributions, the risk of exploitation is also high. This issue can be exploited manually by an attacker, or automatically by any software that parses the grub configuration file. A vulnerable system will be able to boot the signed pf2 font, even if there is no grub installed on it. This can be exploited in a remote attack scenario.
However, this issue can also be exploited in a local attack scenario, an attacker can create a signed pf2 font on the workstation, and host it on the system, to exploit it in a local attack scenario. This issue can be

Installed Image with Grub-installer Framework

This vulnerability is due to an installed image with grub-installer framework. As grub-installer framework is present in most Linux distributions, the risk of exploitation is also high. This issue can be exploited manually by an attacker, or automatically by any software that parses the grub configuration file. A vulnerable system will be able to boot the signed pf2 font, even if there is no grub installed on it. This can be exploited in a remote attack scenario.
However, this issue can also be exploited in a local attack scenario, an attacker can create a signed pf2 font on the workstation, and host it on the system, to exploit it in a local attack scenario.

Risk assessment based on types of systems affected by the grub-installer issue

The risk of a remote attack is high, because the grub-installer framework is present on most Linux distributions. The risk of a local attack is also high, as the workstation can host a malicious signed pf2 font to exploit it.

Timeline

Published on: 12/14/2022 21:15:00 UTC
Last modified on: 12/16/2022 21:29:00 UTC

References