Bug 1183135 (CVE-2021-3408)

Summary: VUL-0: CVE-2021-3408: grub2: heap out-of-bound write due to mis-calculation of space required for quoting
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Michael Chang <mchang>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: ali.abdallah, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/278894/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3408:7.5:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2021-03-07 10:22:43 UTC 
rh#1927436

The grub2 menu rendering code miscalculate the memory amount to hold single-quoted strings. This lead to a out-of-bounds write in grub2's heap by one byte per quote in the input. This results to a 'write-what-where' scenario which an attacker may leverage to compromise heap integrity and possibly code execution, leading to Secure Boot circumvention. To an attack being successful deployed, the attacker needs to have high privileges into the targeted system and also triage the heap layout to successfully deploy a crafted payload.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1927436
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3408
https://access.redhat.com/security/cve/CVE-2021-3408
Comment 2 Michael Chang 2021-03-08 09:52:08 UTC 
The bug was marked as duplication of CVE-2021-20233 [1], which we have done the backport from previous round of boothole2 security fixes ... 

- Fix CVE-2021-20233 (bsc#1182263)
  * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1927436#c4

Thanks.
Comment 3 Marcus Meissner 2021-03-08 11:39:20 UTC 
marking as duplicate

*** This bug has been marked as a duplicate of bug 1182263 ***