Today, we are going to discuss CVE-2022-28735, which is a critical vulnerability affecting the GNU GRand Unified Bootloader version 2 (GRUB2), more specifically the shim_lock verifier. This vulnerability allows malicious or misconfigured non-kernel files to be loaded on shim-powered secure boot systems, potentially introducing unverified code and modules into the secure boot process. By exploiting this vulnerability, an attacker may be able to load and execute untrusted code on the target system, compromising the integrity and security of the secure boot process.

How the Vulnerability Works

In order to better understand the implications of CVE-2022-28735, let's have a quick overview of the secure boot process and how GRUB2 is involved. Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) that aims to protect the boot process from malicious tampering. It uses cryptographic signatures and keys to validate the integrity of firmware, bootloaders, drivers, and other relevant components. GRUB2 is a commonly used bootloader in Linux distributions, and it plays a critical role in the secure boot process, as it is responsible for loading the kernel and other necessary files during the boot sequence.

The GRUB2's shim_lock verifier is designed to enforce that only kernel files signed with a trusted key can be loaded during the secure boot process. However, the CVE-2022-28735 vulnerability allows non-kernel files, such as boot profiles or other configuration files, to be loaded on shim-powered secure boot systems. These files may potentially contain harmful code or unintended configurations that were not verified against any trusted key, breaking the trust-chain of the secure boot process.

Exploit Details

The vulnerability was initially reported by researchers from cybersecurity firm Eclypsium and confirmed by the GRUB2 maintainers. The official references for the vulnerability are as follows:

- CVE-2022-28735: NIST National Vulnerability Database
- Eclypsium Blog Post: Link

The following code snippet shows an example of how a malicious non-kernel file might be loaded during the GRUB2 boot process:

# Example of a vulnerable GRUB2 configuration file
# The 'normal' module is not signed, but still gets loaded by 'shim_lock'

menuentry 'My Distro' {
    insmod normal
    normal (hd,1)/boot/normal-module.cfg

In this example, despite the lack of a trusted signature on the normal module and the normal-module.cfg configuration file, the shim_lock verifier still allows them to be loaded by GRUB2, potentially executing untrusted code on the target system.

Mitigation and Patching

The GRUB2 maintainers and some major Linux distributions have released patches to address the CVE-2022-28735 vulnerability. The Eclypsium blog post details the steps taken by various Linux distributions, such as Ubuntu, Debian, and Fedora, to resolve the issue. Users are strongly encouraged to install the latest updates and patches available for their distribution to mitigate this vulnerability.

In addition to installing the recommended patches, it is essential to follow good security practices, such as:

- Regularly review and verify the origins and trust-chain of the firmware, bootloaders, and other critical components in your systems.

Practice least privilege principle; limit user and system access to essential files and functions.

- Enable security features, such as Secure Boot and other protection mechanisms designed to protect the integrity of your systems.


CVE-2022-28735 is a crucial vulnerability affecting the GRUB2 bootloader and the secure boot process in many Linux systems. This vulnerability allows non-kernel files to be loaded during the boot process, which may potentially lead to the execution of untrusted code on target systems. It is crucial to be aware of this vulnerability, apply the necessary patches, and follow good security practices to maintain your system's integrity and security.


Published on: 07/20/2023 01:15:00 UTC
Last modified on: 08/25/2023 23:15:00 UTC