CVE-2024-45782
Published: 03 March 2025
Summary
CVE-2024-45782 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of the heap-based buffer overflow flaw in GRUB's HFS driver as advised by Red Hat.
Enforces bounds checking and validation of user-provided inputs such as HFS volume names to prevent the unvalidated strcpy() leading to out-of-bounds writes.
Implements memory protection mechanisms that limit the impact of heap corruption from the out-of-bounds write in GRUB, reducing the likelihood of secure boot bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The heap-based out-of-bounds write in GRUB's HFS driver during volume mount allows corruption of bootloader data structures, enabling secure boot bypass and unauthorized code execution at startup, directly facilitating bootkit-style pre-OS boot manipulation.
NVD Description
A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may…
more
read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass.
Deeper analysisAI
CVE-2024-45782 is a heap-based out-of-bounds write vulnerability in the HFS filesystem driver within GRUB. The flaw occurs during the mounting of an HFS volume at grub_fs_mount(), where the driver uses strcpy() on a user-provided volume name without validating its length. This can corrupt sensitive data structures in GRUB, potentially leading to a bypass of secure boot protections. The vulnerability is associated with CWE-787 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by providing a maliciously crafted HFS volume name during the mount process. Successful exploitation enables a heap-based out-of-bounds write, which impacts the integrity of GRUB's sensitive data. This could allow the attacker to manipulate boot processes, ultimately bypassing secure boot mechanisms and potentially executing unauthorized code during system startup.
Red Hat has issued an advisory at https://access.redhat.com/security/cve/CVE-2024-45782 and documented the issue in Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2345858, where practitioners can find details on affected versions and recommended patches or mitigations.
Details
- CWE(s)