CVE-2020-15705 MEDIUM

Published: 2020-07-29 | Last Modified: 2024-11-21 | Status: Modified

Description

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

Additional Descriptions (1)

GRUB2 presenta un fallo al comprobar la firma del kernel cuando se inicia directamente sin cuña, permitiendo que el arranque seguro sea omitido. Esto solo afecta a los sistemas en los que el certificado de firma del kernel ha sido importado directamente a la base de datos de arranque seguro y la imagen de GRUB es iniciada directamente sin el uso de cuña. Este problema afecta a GRUB2 versiones 2.04 y versiones anteriores

CVSS Metrics

Base Score: 6.4 (MEDIUM)

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	HIGH
Privileges Required	HIGH
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 0.5

Impact Score: 5.9

Base Score: 4.4 (MEDIUM)

AV:L/AC:M/Au:N/C:P/I:P/A:P

Access Vector	LOCAL
Access Complexity	MEDIUM
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 3.4

Impact Score: 6.4

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-347
[email protected]	Primary	en CWE-347

Affected Products

Vendor	Product	Version	Update	Type
gnu	grub2	*	<built-in method update of dict object at 0x72a9b0b3af40>	Application
redhat	enterprise_linux_atomic_host	-	<built-in method update of dict object at 0x72a9cc8758c0>	Application
redhat	openshift_container_platform	4.0	<built-in method update of dict object at 0x72a9b0b38740>	Application
canonical	ubuntu_linux	14.04	<built-in method update of dict object at 0x72a9b0aa7180>	Operating System
canonical	ubuntu_linux	16.04	<built-in method update of dict object at 0x72a9ccd2b9c0>	Operating System
canonical	ubuntu_linux	18.04	<built-in method update of dict object at 0x72a9ccd2b700>	Operating System
canonical	ubuntu_linux	20.04	<built-in method update of dict object at 0x72a9cc877d00>	Operating System
debian	debian_linux	10.0	<built-in method update of dict object at 0x72a9b0aa4d40>	Operating System
opensuse	leap	15.1	<built-in method update of dict object at 0x72a9cc679c80>	Operating System
opensuse	leap	15.2	<built-in method update of dict object at 0x72a9ccd2a2c0>	Operating System
redhat	enterprise_linux	7.0	<built-in method update of dict object at 0x72a9b0b3b1c0>	Operating System
redhat	enterprise_linux	8.0	<built-in method update of dict object at 0x72a9ccd28540>	Operating System
suse	suse_linux_enterprise_server	11	<built-in method update of dict object at 0x72a9b0a74980>	Operating System
suse	suse_linux_enterprise_server	12	<built-in method update of dict object at 0x72a9cc874680>	Operating System
suse	suse_linux_enterprise_server	15	<built-in method update of dict object at 0x72a9b0b3b940>	Operating System
microsoft	windows_10	-	<built-in method update of dict object at 0x72a9b0b6bf80>	Operating System
microsoft	windows_10	1607	<built-in method update of dict object at 0x72a9cc877d40>	Operating System
microsoft	windows_10	1709	<built-in method update of dict object at 0x72a9cd086a40>	Operating System
microsoft	windows_10	1803	<built-in method update of dict object at 0x72a9ccd28740>	Operating System
microsoft	windows_10	1809	<built-in method update of dict object at 0x72a9b0a77280>	Operating System
microsoft	windows_10	1903	<built-in method update of dict object at 0x72a9cc875280>	Operating System
microsoft	windows_10	1909	<built-in method update of dict object at 0x72a9cc876540>	Operating System
microsoft	windows_10	2004	<built-in method update of dict object at 0x72a9cc6792c0>	Operating System
microsoft	windows_8.1	-	<built-in method update of dict object at 0x72a9b0b693c0>	Operating System
microsoft	windows_rt_8.1	-	<built-in method update of dict object at 0x72a9ccf9ff40>	Operating System
microsoft	windows_server_2012	-	<built-in method update of dict object at 0x72a9cc774640>	Operating System
microsoft	windows_server_2012	r2	<built-in method update of dict object at 0x72a9b0aa7d80>	Operating System
microsoft	windows_server_2016	-	<built-in method update of dict object at 0x72a9ccf9fe80>	Operating System
microsoft	windows_server_2016	1903	<built-in method update of dict object at 0x72a9ccd2b2c0>	Operating System
microsoft	windows_server_2016	1909	<built-in method update of dict object at 0x72a9cd0d9cc0>	Operating System
microsoft	windows_server_2016	2004	<built-in method update of dict object at 0x72a9cd087480>	Operating System
microsoft	windows_server_2019	-	<built-in method update of dict object at 0x72a9ccd2a040>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:gnu:grub2::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:::::::*`
Yes	`cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::`
Yes	`cpe:2.3:o:debian:debian_linux:10.0:::::::*`
Yes	`cpe:2.3:o:opensuse:leap:15.1:::::::*`
Yes	`cpe:2.3:o:opensuse:leap:15.2:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*`
Yes	`cpe:2.3:o:suse:suse_linux_enterprise_server:11:::::::*`
Yes	`cpe:2.3:o:suse:suse_linux_enterprise_server:12:::::::*`
Yes	`cpe:2.3:o:suse:suse_linux_enterprise_server:15:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:microsoft:windows_10:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1607:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1709:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1803:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1809:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1903:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1909:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:2004:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_8.1:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2012:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:1903:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:1909:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:2004:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2019:-:::::::*`

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html
Source: [email protected]

Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html
Source: [email protected]

Mailing List Third Party Advisory
http://ubuntu.com/security/notices/USN-4432-1
Source: [email protected]

Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/29/3
Source: [email protected]

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/02/3
Source: [email protected]

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/2
Source: [email protected]

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/4
Source: [email protected]

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/21/1
Source: [email protected]

Mailing List Third Party Advisory
https://access.redhat.com/security/vulnerabilities/grub2bootloader
Source: [email protected]

Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Source: [email protected]

Issue Tracking Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Source: [email protected]

Patch Third Party Advisory Vendor Advisory
https://security.gentoo.org/glsa/202104-05
Source: [email protected]

Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0008/
Source: [email protected]

Third Party Advisory
https://usn.ubuntu.com/4432-1/
Source: [email protected]

Third Party Advisory
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
Source: [email protected]

Third Party Advisory
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Source: [email protected]

Third Party Advisory
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
Source: [email protected]

Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3
Source: [email protected]

Mailing List Third Party Advisory
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
Source: [email protected]

Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000019673
Source: [email protected]

Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://ubuntu.com/security/notices/USN-4432-1
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/29/3
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/02/3
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/2
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/4
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/21/1
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://access.redhat.com/security/vulnerabilities/grub2bootloader
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory Vendor Advisory
https://security.gentoo.org/glsa/202104-05
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0008/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://usn.ubuntu.com/4432-1/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000019673
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory