Bug 2090463 (CVE-2022-28734) - CVE-2022-28734 grub2: Out-of-bound write when handling split HTTP headers
Summary: CVE-2022-28734 grub2: Out-of-bound write when handling split HTTP headers
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-28734
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2090467 2090468 2090469 2090470 2090471 2090472 2090473 2090478 2090479 2090480 2090481 2090482
Blocks: 1991681
TreeView+ depends on / blocked
 
Reported: 2022-05-25 19:50 UTC by Marco Benatto
Modified: 2024-01-15 17:17 UTC (History)
8 users (show)

Fixed In Version: grub 2.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2 when handling split HTTP headers. While processing a split HTTP header, grub2 wrongly advances its control pointer to the internal buffer by one position, which can lead to an out-of-bounds write. This flaw allows an attacker to leverage this issue by crafting a malicious set of HTTP packages making grub2 corrupt its internal memory metadata structure. This leads to data integrity and confidentiality issues or forces grub to crash, resulting in a denial of service attack.
Clone Of:
Environment:
Last Closed: 2022-06-16 21:38:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5105 0 None None None 2022-06-16 21:08:40 UTC
Red Hat Product Errata RHBA-2022:5121 0 None None None 2022-06-20 01:27:31 UTC
Red Hat Product Errata RHBA-2022:5127 0 None None None 2022-06-20 12:12:13 UTC
Red Hat Product Errata RHBA-2022:5128 0 None None None 2022-06-20 14:27:08 UTC
Red Hat Product Errata RHBA-2022:5170 0 None None None 2022-06-22 11:38:39 UTC
Red Hat Product Errata RHBA-2022:5437 0 None None None 2022-06-30 07:15:21 UTC
Red Hat Product Errata RHBA-2022:5578 0 None None None 2022-07-13 15:10:20 UTC
Red Hat Product Errata RHBA-2022:5643 0 None None None 2022-07-19 15:32:29 UTC
Red Hat Product Errata RHSA-2022:5095 0 None None None 2022-06-16 15:34:07 UTC
Red Hat Product Errata RHSA-2022:5096 0 None None None 2022-06-16 14:55:35 UTC
Red Hat Product Errata RHSA-2022:5098 0 None None None 2022-06-16 13:51:23 UTC
Red Hat Product Errata RHSA-2022:5099 0 None None None 2022-06-16 15:23:56 UTC
Red Hat Product Errata RHSA-2022:5100 0 None None None 2022-06-16 15:46:08 UTC

Description Marco Benatto 2022-05-25 19:50:52 UTC 
When handling split HTTP headers, grub2 HTTP code accidentally its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the grub's internal memory metadata
Comment 3 errata-xmlrpc 2022-06-16 13:51:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5098 https://access.redhat.com/errata/RHSA-2022:5098
Comment 4 errata-xmlrpc 2022-06-16 14:55:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5096 https://access.redhat.com/errata/RHSA-2022:5096
Comment 5 errata-xmlrpc 2022-06-16 15:23:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5099 https://access.redhat.com/errata/RHSA-2022:5099
Comment 6 errata-xmlrpc 2022-06-16 15:34:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5095 https://access.redhat.com/errata/RHSA-2022:5095
Comment 7 errata-xmlrpc 2022-06-16 15:46:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5100 https://access.redhat.com/errata/RHSA-2022:5100
Comment 8 Product Security DevOps Team 2022-06-16 21:37:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28734
Comment 11 Vipul Nair 2023-12-28 13:28:46 UTC 
hey marco,i need your help with the CVSS restoring on this one.
Comment 12 Marco Benatto 2024-01-15 17:14:35 UTC 
As the attacker doesn't have full control about the memory region being overwritten by the buffer overflow, the mostly likely result is a Denial of service in grub2. As a result the memory corruption is constrained and represents a low impact on data confidentiality and data integrity while the impact on availability is considered high.
Note You need to log in before you can comment on or make changes to this bug.