MiracleLinux 7 : grub2-2.02-0.87.14.0.4.el7.AXS7 (AXSA:2025-9938:04)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2025-9938:04.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(282873);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/16");

  script_cve_id(
    "CVE-2024-45774",
    "CVE-2024-45775",
    "CVE-2024-45776",
    "CVE-2024-45777",
    "CVE-2024-45780",
    "CVE-2024-45781",
    "CVE-2024-45782",
    "CVE-2024-45783",
    "CVE-2024-56737",
    "CVE-2025-0622",
    "CVE-2025-0624",
    "CVE-2025-0678",
    "CVE-2025-0690",
    "CVE-2025-1118",
    "CVE-2025-1125"
  );

  script_name(english:"MiracleLinux 7 : grub2-2.02-0.87.14.0.4.el7.AXS7 (AXSA:2025-9938:04)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2025-9938:04 advisory.

    * CVE-2025-0624: net: Out-of-bounds write in grub_net_search_configfile()
    * CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write
    * CVE-2025-1118: commands/dump: The dump command is not in lockdown when
    secure boot is enabled
    * CVE-2025-0678: squash4: Integer overflow may lead to heap based
    out-of-bounds write when reading data
    * CVE-2025-1125: fs/hfs: Integer overflow may lead to heap based   out-of-bounds
    write
    CVE(s):
    CVE-2025-1118
    A flaw was found in grub2. Grub's dump command is not blocked when grub is in lockdown mode, which allows
    the user to read any memory information, and an attacker may leverage this in order to extract signatures,
    salts, and other sensitive information from the memory.
    CVE-2025-0690
    The read command is used to read the keyboard input from the user, while reads it keeps the input length
    in a 32-bit integer value which is further used to reallocate the line buffer to accept the next
    character. During this process, with a line big enough it's possible to make this variable to overflow
    leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's
    internal critical data and secure boot bypass is not discarded as consequence.
    CVE-2024-45775
    A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to
    allocate memory for the grub's argument list. However, it fails to check in case the memory allocation
    fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading
    grub to crash or, in some rare scenarios, corrupt the IVT data.
    CVE-2024-45774
    A flaw was found in grub2. A specially crafted JPEG file can cause the JPEG parser of grub2 to incorrectly
    check the bounds of its internal buffers, resulting in an out-of-bounds write. The possibility of
    overwriting sensitive information to bypass secure boot protections is not discarded.
    CVE-2024-45783
    A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't
    properly set an ERRNO value. This issue may lead to a NULL pointer access.
    CVE-2024-45780
    A flaw was found in grub2. When reading tar files, grub2 allocates an internal buffer for the file name.
    However, it fails to properly verify the allocation against possible integer overflows. It's possible to
    cause the allocation length to overflow with a crafted tar file, leading to a heap out-of-bounds write.
    This flaw eventually allows an attacker to circumvent secure boot protections.
    CVE-2024-45781
    A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to
    validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds
    write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot
    protections.
    CVE-2024-45776
    When reading the language .mo file in grub_mofile_open(), grub2 fails to verify an integer overflow when
    allocating its internal buffer. A crafted .mo file may lead the buffer size calculation to overflow,
    leading to out-of-bound reads and writes. This flaw allows an attacker to leak sensitive data or overwrite
    critical data, possibly circumventing secure boot protections.
    CVE-2025-0678
    A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses
    user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it
    improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer
    size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than
    expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data
    reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary
    code execution, by-passing secure boot protections.
    CVE-2024-56737
    GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in
    an HFS filesystem.
    CVE-2024-45782
    A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS
    filesystem driver performs a strcpy() using the user-provided volume name as input without properly
    validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting
    grub's sensitive data integrity and eventually leading to a secure boot protection bypass.
    CVE-2024-45777
    A flaw was found in grub2. The calculation of the translation buffer when reading a language .mo file in
    grub_gettext_getstr_from_position() may overflow, leading to a Out-of-bound write. This issue can be
    leveraged by an attacker to overwrite grub2's sensitive heap data, eventually leading to the circumvention
    of secure boot protections.
    CVE-2025-1125
    When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from
    the filesystem metadata to calculate the internal buffers size, however it misses to properly check for
    integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to
    overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result
    the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may
    be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-
    passing secure boot protections.
    CVE-2025-0624
    A flaw was found in grub2. During the network boot process, when trying to search for the configuration
    file, grub copies data from a user controlled environment variable into an internal buffer using the
    grub_strcpy() function. During this step, it fails to consider the environment variable length when
    allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue
    may result in remote code execution through the same network segment grub is searching for the boot
    information, which can be used to by-pass secure boot protections.
    CVE-2025-0622
    A flaw was found in command/gpg. In some scenarios, hooks created by loaded modules are not removed when
    the related module is unloaded. This flaw allows an attacker to force grub2 to call the hooks once the
    module that registered it was unloaded, leading to a use-after-free vulnerability. If correctly exploited,
    this vulnerability may result in arbitrary code execution, eventually allowing the attacker to bypass
    secure boot protections.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/21122");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-1125");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-0678");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/05/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-efi-ia32");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-efi-ia32-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-efi-x64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-efi-x64-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-pc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-pc-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-tools-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:grub2-tools-minimal");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'grub2-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-common-2.02-0.87.14.0.4.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-efi-ia32-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-efi-ia32-modules-2.02-0.87.14.0.4.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-efi-x64-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-efi-x64-modules-2.02-0.87.14.0.4.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-pc-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-pc-modules-2.02-0.87.14.0.4.el7.AXS7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-tools-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-tools-extra-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'grub2-tools-minimal-2.02-0.87.14.0.4.el7.AXS7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'grub2 / grub2-common / grub2-efi-ia32 / grub2-efi-ia32-modules / etc');
}