CVE-2021-3981 Overview
A flaw in GRUB2 was found where its configuration file, known as grub.cfg, is being created with incorrect permission settings allowing non-privileged users to read its content. This represents a confidentiality issue, as those users can eventually read any encrypted passwords present in the configuration file. The vulnerability affects GRUB2 version 2.06 and all previous versions. While this issue has been fixed in the upstream GRUB2 repository, no version with the fix has been officially released at the time of initial disclosure.
Critical Impact
Non-privileged local users can read sensitive configuration data including encrypted passwords from grub.cfg due to improper file permissions.
Affected Products
- GNU GRUB2 versions 2.06 and earlier
- Fedora Project Fedora 34
- Linux distributions using vulnerable GRUB2 versions
Discovery Timeline
- 2022-03-10 - CVE-2021-3981 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3981
Vulnerability Analysis
This vulnerability stems from improper default permissions (CWE-276) applied to the GRUB2 bootloader configuration file during system installation or configuration updates. When grub.cfg is generated or modified, the file permissions are set in a manner that allows read access to non-privileged users on the system. While GRUB2 encrypted passwords provide some protection, they can potentially be subjected to offline brute-force attacks once extracted from the readable configuration file.
The security impact is primarily focused on confidentiality. An attacker with local access to the system can read the contents of grub.cfg to extract encrypted boot passwords, kernel parameters, and other potentially sensitive boot configuration details. This information could be leveraged in subsequent attacks or to gain unauthorized access to boot menu editing capabilities.
Root Cause
The root cause is classified as CWE-276: Incorrect Default Permissions. During the GRUB2 configuration file generation process, the system fails to apply appropriately restrictive permissions to grub.cfg. The file should only be readable by the root user, but the default behavior allows broader read access to local users on the system.
Attack Vector
The attack vector is local, requiring the attacker to have existing access to the target system. The exploitation process involves:
- A local user authenticates to the affected system with any valid non-root account
- The attacker navigates to the GRUB2 configuration directory (typically /boot/grub2/ or /boot/grub/)
- The attacker reads the contents of grub.cfg using standard file reading utilities
- Encrypted passwords and sensitive boot parameters can be extracted for offline analysis
The vulnerability requires local access and low privileges to exploit. No user interaction is required, and the scope is unchanged (the attacker can only access information on the vulnerable system). The attack does not impact integrity or availability of the system.
Detection Methods for CVE-2021-3981
Indicators of Compromise
- Unusual file access attempts to /boot/grub2/grub.cfg or /boot/grub/grub.cfg by non-root users
- Audit logs showing read operations on GRUB configuration files from unauthorized accounts
- Evidence of password cracking attempts using extracted boot password hashes
Detection Strategies
- Enable file access auditing on GRUB2 configuration files using auditd
- Monitor for unauthorized access attempts to /boot/grub2/ directory contents
- Implement file integrity monitoring (FIM) solutions to detect configuration file access patterns
- Review system logs for suspicious read operations against boot configuration files
Monitoring Recommendations
- Configure audit rules to log all access attempts to grub.cfg files
- Deploy endpoint detection solutions capable of monitoring sensitive file access
- Establish baseline access patterns for boot configuration files and alert on deviations
- Regularly review file permissions on critical system configuration files
How to Mitigate CVE-2021-3981
Immediate Actions Required
- Verify and correct file permissions on grub.cfg to restrict read access to root only
- Audit existing GRUB2 passwords and rotate if exposure is suspected
- Update GRUB2 to the latest version available for your distribution
- Review system users who may have accessed the configuration file
Patch Information
The vulnerability has been addressed in upstream GRUB2, though official patched releases may vary by distribution. Administrators should apply distribution-specific security updates as they become available. Consult your distribution's security advisories for specific patch information:
- Red Hat Bugzilla Report - Vendor bug tracking
- Fedora Package Announcement - Fedora updates
- Gentoo GLSA 202209-12 - Gentoo security advisory
Workarounds
- Manually set restrictive permissions on grub.cfg using chmod 600 or chmod 400
- Ensure the file ownership is set to root:root
- Consider implementing additional access controls using SELinux or AppArmor policies
- Regenerate GRUB configuration after setting proper permissions to ensure they persist
# Configuration example
# Fix permissions on GRUB2 configuration file
chmod 600 /boot/grub2/grub.cfg
chown root:root /boot/grub2/grub.cfg
# For systems using /boot/grub path
chmod 600 /boot/grub/grub.cfg
chown root:root /boot/grub/grub.cfg
# Verify the permissions are correctly applied
ls -la /boot/grub2/grub.cfg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
