CVE-2020-14310 MEDIUM

Published: 2020-07-31 | Last Modified: 2024-11-21 | Status: Modified

Description

There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

Additional Descriptions (1)

Se presenta un problema en grub2 versiones anteriores a 2.06, en la función read_section_as_string(). Se espera que el nombre de la fuente sea una longitud máxima UINT32_MAX - 1 en bytes, pero no lo verifica antes de proceder con la asignación del búfer para leer el valor desde el valor de la fuente. Un atacante puede aprovechar esto mediante el diseño de un archivo de fuente malicioso que tenga un nombre con UINT32_MAX, conduciendo a la función read_section_as_string () a un desbordamiento aritmético, asignación de tamaño cero y un nuevo desbordamiento de búfer en la región heap de la memoria

CVSS Metrics

Base Score: 6.0 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	HIGH
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 0.8

Impact Score: 5.2

Base Score: 3.6 (LOW)

AV:L/AC:L/Au:N/C:N/I:P/A:P

Access Vector	LOCAL
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	NONE
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 4.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-122 en CWE-190
[email protected]	Primary	en CWE-190

Affected Products

Vendor	Product	Version	Update	Type
gnu	grub2	*	<built-in method update of dict object at 0x72a9b0736140>	Application
redhat	enterprise_linux	7.0	<built-in method update of dict object at 0x72a9cd0c1240>	Operating System
redhat	enterprise_linux	8.0	<built-in method update of dict object at 0x72a9b0736040>	Operating System
redhat	enterprise_linux_eus	8.1	<built-in method update of dict object at 0x72a9b0c3d700>	Operating System
redhat	enterprise_linux_eus	8.2	<built-in method update of dict object at 0x72a9b0c98d80>	Operating System
redhat	enterprise_linux_server_aus	8.2	<built-in method update of dict object at 0x72a9b0c99a00>	Operating System
redhat	enterprise_linux_server_tus	8.2	<built-in method update of dict object at 0x72a9b0735280>	Operating System
opensuse	leap	15.1	<built-in method update of dict object at 0x72a9cc626200>	Operating System
opensuse	leap	15.2	<built-in method update of dict object at 0x72a9b0734dc0>	Operating System
canonical	ubuntu_linux	14.04	<built-in method update of dict object at 0x72a9cc627340>	Operating System
canonical	ubuntu_linux	16.04	<built-in method update of dict object at 0x72a9cd0c3380>	Operating System
canonical	ubuntu_linux	18.04	<built-in method update of dict object at 0x72a9cd0c0180>	Operating System
canonical	ubuntu_linux	20.04	<built-in method update of dict object at 0x72a9b0734100>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:gnu:grub2::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:opensuse:leap:15.1:::::::*`
Yes	`cpe:2.3:o:opensuse:leap:15.2:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::`

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html
Source: [email protected]

Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html
Source: [email protected]

Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310
Source: [email protected]

Issue Tracking Vendor Advisory
https://security.gentoo.org/glsa/202104-05
Source: [email protected]

Third Party Advisory
https://usn.ubuntu.com/4432-1/
Source: [email protected]

Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310
Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Vendor Advisory
https://security.gentoo.org/glsa/202104-05
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://usn.ubuntu.com/4432-1/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory