Bug 2090463 (CVE-2022-28734)

Summary: CVE-2022-28734 grub2: Out-of-bound write when handling split HTTP headers
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bootloader-eng-team, jaredz, mlewando, pjanda, pjones, pkotvan, rharwood, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2 when handling split HTTP headers. While processing a split HTTP header, grub2 wrongly advances its control pointer to the internal buffer by one position, which can lead to an out-of-bounds write. This flaw allows an attacker to leverage this issue by crafting a malicious set of HTTP packages making grub2 corrupt its internal memory metadata structure. This leads to data integrity and confidentiality issues or forces grub to crash, resulting in a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-16 21:38:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2090467, 2090468, 2090469, 2090470, 2090471, 2090472, 2090473, 2090478, 2090479, 2090480, 2090481, 2090482    
Bug Blocks: 1991681    

Description Marco Benatto 2022-05-25 19:50:52 UTC 
When handling split HTTP headers, grub2 HTTP code accidentally its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the grub's internal memory metadata
Comment 3 errata-xmlrpc 2022-06-16 13:51:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5098 https://access.redhat.com/errata/RHSA-2022:5098
Comment 4 errata-xmlrpc 2022-06-16 14:55:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5096 https://access.redhat.com/errata/RHSA-2022:5096
Comment 5 errata-xmlrpc 2022-06-16 15:23:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5099 https://access.redhat.com/errata/RHSA-2022:5099
Comment 6 errata-xmlrpc 2022-06-16 15:34:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5095 https://access.redhat.com/errata/RHSA-2022:5095
Comment 7 errata-xmlrpc 2022-06-16 15:46:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5100 https://access.redhat.com/errata/RHSA-2022:5100
Comment 8 Product Security DevOps Team 2022-06-16 21:37:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28734
Comment 11 Vipul Nair 2023-12-28 13:28:46 UTC 
hey marco,i need your help with the CVSS restoring on this one.
Comment 12 Marco Benatto 2024-01-15 17:14:35 UTC 
As the attacker doesn't have full control about the memory region being overwritten by the buffer overflow, the mostly likely result is a Denial of service in grub2. As a result the memory corruption is constrained and represents a low impact on data confidentiality and data integrity while the impact on availability is considered high.