CVE-2020-15706 MEDIUM

Published: 2020-07-29 | Last Modified: 2024-11-21 | Status: Modified

Description

GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions.

Additional Descriptions (1)

GRUB2 contiene una condición de carrera en la función grub_script_function_create() que conlleva a una vulnerabilidad de uso de la memoria previamente liberada la cual puede ser desencadenada al redefinir una función mientras la misma función ya se está ejecutando, conllevando a una ejecución de código arbitrario y a una omisión de restricción de arranque seguro. Este problema afecta a GRUB2 versiones 2.04 y versiones anteriores

CVSS Metrics

Base Score: 6.4 (MEDIUM)

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	HIGH
Privileges Required	HIGH
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 0.5

Impact Score: 5.9

Base Score: 4.4 (MEDIUM)

AV:L/AC:M/Au:N/C:P/I:P/A:P

Access Vector	LOCAL
Access Complexity	MEDIUM
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 3.4

Impact Score: 6.4

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-362
[email protected]	Primary	en CWE-362 en CWE-416

Affected Products

Vendor	Product	Version	Update	Type
gnu	grub2	*	<built-in method update of dict object at 0x72a9cd08dbc0>	Application
redhat	enterprise_linux_atomic_host	-	<built-in method update of dict object at 0x72a961ec9e80>	Application
redhat	openshift_container_platform	4.0	<built-in method update of dict object at 0x72a963c69f80>	Application
canonical	ubuntu_linux	14.04	<built-in method update of dict object at 0x72a999778840>	Operating System
canonical	ubuntu_linux	16.04	<built-in method update of dict object at 0x72a9cd08db00>	Operating System
canonical	ubuntu_linux	18.04	<built-in method update of dict object at 0x72a9cd08f1c0>	Operating System
canonical	ubuntu_linux	20.04	<built-in method update of dict object at 0x72a9cd08dc00>	Operating System
debian	debian_linux	10.0	<built-in method update of dict object at 0x72a9cd08ef00>	Operating System
redhat	enterprise_linux	7.0	<built-in method update of dict object at 0x72a9cc76d5c0>	Operating System
redhat	enterprise_linux	8.0	<built-in method update of dict object at 0x72a9cd08d180>	Operating System
suse	suse_linux_enterprise_server	11	<built-in method update of dict object at 0x72a9cd08d800>	Operating System
suse	suse_linux_enterprise_server	12	<built-in method update of dict object at 0x72a9cd08d1c0>	Operating System
suse	suse_linux_enterprise_server	15	<built-in method update of dict object at 0x72a961eca480>	Operating System
microsoft	windows_10	-	<built-in method update of dict object at 0x72a9cc76d580>	Operating System
microsoft	windows_10	1607	<built-in method update of dict object at 0x72a9cd08e0c0>	Operating System
microsoft	windows_10	1709	<built-in method update of dict object at 0x72a9cd08fb80>	Operating System
microsoft	windows_10	1803	<built-in method update of dict object at 0x72a9cd08c9c0>	Operating System
microsoft	windows_10	1809	<built-in method update of dict object at 0x72a9997794c0>	Operating System
microsoft	windows_10	1903	<built-in method update of dict object at 0x72a99977b9c0>	Operating System
microsoft	windows_10	1909	<built-in method update of dict object at 0x72a99977bd80>	Operating System
microsoft	windows_10	2004	<built-in method update of dict object at 0x72a9cc76dbc0>	Operating System
microsoft	windows_8.1	-	<built-in method update of dict object at 0x72a961ec9b00>	Operating System
microsoft	windows_rt_8.1	-	<built-in method update of dict object at 0x72a9cd08fdc0>	Operating System
microsoft	windows_server_2012	-	<built-in method update of dict object at 0x72a9cc76ef40>	Operating System
microsoft	windows_server_2012	r2	<built-in method update of dict object at 0x72a999779ec0>	Operating System
microsoft	windows_server_2016	-	<built-in method update of dict object at 0x72a961ec8fc0>	Operating System
microsoft	windows_server_2016	1903	<built-in method update of dict object at 0x72a9cc76d500>	Operating System
microsoft	windows_server_2016	1909	<built-in method update of dict object at 0x72a961ecb9c0>	Operating System
microsoft	windows_server_2016	2004	<built-in method update of dict object at 0x72a963c68fc0>	Operating System
microsoft	windows_server_2019	-	<built-in method update of dict object at 0x72a961eca800>	Operating System
opensuse	leap	15.1	<built-in method update of dict object at 0x72a9cd08ffc0>	Operating System
opensuse	leap	15.2	<built-in method update of dict object at 0x72a9cd08f500>	Operating System
canonical	ubuntu_linux	14.04	<built-in method update of dict object at 0x72a9997796c0>	Operating System
canonical	ubuntu_linux	16.04	<built-in method update of dict object at 0x72a963c6bcc0>	Operating System
canonical	ubuntu_linux	18.04	<built-in method update of dict object at 0x72a963c6ae40>	Operating System
canonical	ubuntu_linux	20.04	<built-in method update of dict object at 0x72a9cd08c340>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:gnu:grub2::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:::::::*`
Yes	`cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::`
Yes	`cpe:2.3:o:debian:debian_linux:10.0:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*`
Yes	`cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*`
Yes	`cpe:2.3:o:suse:suse_linux_enterprise_server:11:::::::*`
Yes	`cpe:2.3:o:suse:suse_linux_enterprise_server:12:::::::*`
Yes	`cpe:2.3:o:suse:suse_linux_enterprise_server:15:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:microsoft:windows_10:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1607:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1709:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1803:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1809:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1903:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:1909:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_10:2004:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_8.1:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2012:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:-:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:1903:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:1909:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2016:2004:::::::*`
Yes	`cpe:2.3:o:microsoft:windows_server_2019:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:opensuse:leap:15.1:::::::*`
Yes	`cpe:2.3:o:opensuse:leap:15.2:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::`
Yes	`cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::`

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html
Source: [email protected]

Broken Link Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html
Source: [email protected]

Broken Link Mailing List Third Party Advisory
http://ubuntu.com/security/notices/USN-4432-1
Source: [email protected]

Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/29/3
Source: [email protected]

Mailing List Third Party Advisory
https://access.redhat.com/security/vulnerabilities/grub2bootloader
Source: [email protected]

Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Source: [email protected]

Issue Tracking Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Source: [email protected]

Patch Third Party Advisory Vendor Advisory
https://security.gentoo.org/glsa/202104-05
Source: [email protected]

Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0008/
Source: [email protected]

Third Party Advisory
https://usn.ubuntu.com/4432-1/
Source: [email protected]

Third Party Advisory
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
Source: [email protected]

Third Party Advisory
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Source: [email protected]

Third Party Advisory
https://www.debian.org/security/2020/dsa-4735
Source: [email protected]

Third Party Advisory
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
Source: [email protected]

Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3
Source: [email protected]

Mailing List Third Party Advisory
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
Source: [email protected]

Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000019673
Source: [email protected]

Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html
Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html
Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link Mailing List Third Party Advisory
http://ubuntu.com/security/notices/USN-4432-1
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/29/3
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://access.redhat.com/security/vulnerabilities/grub2bootloader
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory Vendor Advisory
https://security.gentoo.org/glsa/202104-05
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0008/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://usn.ubuntu.com/4432-1/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.debian.org/security/2020/dsa-4735
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000019673
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory