CVE-2023-4693 - Out-of-Bounds Read in GRUB2 NTFS Driver – How Attackers Can Leak Memory via Evil USBs

---

Introduction

Bootloader vulnerabilities are rare and dangerous, especially when it comes to leaking memory right at the start of a system’s lifecycle. CVE-2023-4693 brings attention to such a threat: a serious out-of-bounds read bug in GRUB2’s NTFS driver. This flaw makes it possible for attackers with physical access to a machine (think: plugging in a malicious USB stick) to read sensitive memory contents, including confidential EFI variables.

Let’s break down how this vulnerability works, see the actual code logic, and talk about what this means for your system’s security.

What is CVE-2023-4693?

*CVE-2023-4693* is a vulnerability affecting GRUB2, the bootloader used by most popular Linux distributions. The core issue is in GRUB2's NTFS filesystem driver. When mounting or reading a specially modified NTFS file system, GRUB2 can accidentally read data from memory it shouldn't—known as an “out-of-bounds read.” This could include leftover sensitive system data, EFI variables (like Secure Boot passwords), or bits of previous computation.

This is especially dangerous because it happens *pre-boot*, before the OS even loads, potentially exposing secrets that are stored or passed around at boot time.

References

- Red Hat Security Advisory
- GRUB2 Project
- oss-security thread

How Does the Exploit Work?

1. Physical Access Needed: Attackers must be physically present, typically with a USB stick containing a maliciously-crafted NTFS filesystem.
2. System Boots the USB: The target computer is booted from the USB stick, with GRUB2 loading its NTFS driver to read the USB filesystem.
3. Malformed Filesystem Abuse: The malicious NTFS image is constructed to trigger an out-of-bounds read in GRUB2’s NTFS parsing code.
4. Memory Leak: On access, the bootloader reads beyond the legitimate NTFS data structure, exposing chunks of memory that could contain sensitive information.

Looking at the Vulnerability in Code

Here is a simplified and annotated pseudocode snippet based on the kind of bug described in public disclosures:

// grub2 ntfs.c
// Faulty area: Reading more data than the allocated buffer allows

/* Reads index buffer from NTFS file entry */
if (/* malformed NTFS image causes size to exceed buffer length */) {
    for (int i = ; i < entry_count; i++) {
        // Out-of-bounds read occurs here when 'entry_count' is too large
        entry = buffer[i];  // Reads past the end of 'buffer'
        process_entry(entry);
    }
}

A malicious image manipulates metadata so that entry_count is much larger than the actual allocated buffer, making the for-loop go beyond its bounds and reading unrelated memory.

The real vulnerability in GRUB2’s code, for example, is triggered when parsing NTFS directories or attributes with sizes or counts sourced from the image itself, not properly checked against buffer limits.

To exploit this, a hacker would

- Build an NTFS filesystem image with directory records or attribute tables stating far more entries than actually stored.
- Force GRUB2’s NTFS parser to loop further, reading whatever sits in memory after the legitimate data.
- Collect the dumped memory, searching for confidential info (syntax or values of EFI variables, keys, etc.).

Here’s a toolchain example (simplified)

# Hypothetically pad an NTFS image to poison buffer parsing
dd if=/dev/zero of=evil_ntfs.img bs=1M count=10
mkntfs --quick evil_ntfs.img
# Now use custom tools/scripts (not shown) to edit NTFS metadata
# Insert fake directory entries pointing "outside" the valid range

Real-World Impact

- High Confidentiality Risk: The attack leaks whatever GRUB2 or UEFI has in RAM (as far as the out-of-bounds read stretches), potentially including sensitive vars like Secure Boot state, disk passwords, or keys cached at boot.
- No Remote Attacks: The attacker *must* have physical access and boot the system with the infected filesystem.

Defenses and Mitigation

- Firmware and GRUB2 Upgrades: Install the latest security updates from your Linux distro or vendor (they’ll have backported the fix).
- Physical Security: Restrict unauthorized USB access and boot device changes via BIOS/firmware settings.
- Disable Unused Filesystem Drivers: If NTFS boot support is not needed, remove it from your bootloader configuration.

Conclusion

CVE-2023-4693 is a potent demonstration that even bootloaders, which are supposed to be simple and secure, can leak your secrets given the right file system voodoo. If you manage servers, laptops, or desktops using GRUB2—update it now. Never underestimate what a small, lookalike USB stick can do before your operating system even loads.

Further Reading and Links

- CVE-2023-4693 Official NVD Entry
- Grub2 Git Commit Fix (example)
- Red Hat Security Blog

Timeline

Published on: 10/25/2023 18:17:41 UTC
Last modified on: 11/07/2023 04:22:50 UTC