Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.
Se detectaron desbordamientos de enteros en las funciones grub_cmd_initrd y grub_initrd_init en el componente efilinux de GRUB2, como se incluye en Debian, Red Hat y Ubuntu (la funcionalidad no está incluida aguas arriba de GRUB2), conllevando a un desbordamiento del búfer en la región heap de la memoria. Estos podrían ser activados por una gran cantidad de argumentos para el comando initrd en arquitecturas de 32 bits, o un sistema de archivos diseñado con archivos muy grandes en cualquier arquitectura. Un atacante podría usar esto para ejecutar código arbitrario y omitir las restricciones UEFI Secure Boot. Este problema afecta a GRUB2 versiones 2.04 y versiones anteriores
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | HIGH |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
AV:L/AC:M/Au:N/C:P/I:P/A:P
| Access Vector | LOCAL |
|---|---|
| Access Complexity | MEDIUM |
| Authentication | NONE |
| Confidentiality Impact | PARTIAL |
| Integrity Impact | PARTIAL |
| Availability Impact | PARTIAL |
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-362
|
| [email protected] | Primary |
en
CWE-190
en
CWE-362
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| gnu | grub2 | * | <built-in method update of dict object at 0x72a9cc76c140> | Application |
| redhat | enterprise_linux_atomic_host | - | <built-in method update of dict object at 0x72a9ccf98a40> | Application |
| redhat | openshift_container_platform | 4.0 | <built-in method update of dict object at 0x72a9cce74680> | Application |
| redhat | enterprise_linux | 7.0 | <built-in method update of dict object at 0x72a9cdc93d80> | Operating System |
| redhat | enterprise_linux | 8.0 | <built-in method update of dict object at 0x72a9cce77dc0> | Operating System |
| microsoft | windows_10 | - | <built-in method update of dict object at 0x72a9cce77700> | Operating System |
| microsoft | windows_10 | 1607 | <built-in method update of dict object at 0x72a9cc7b1bc0> | Operating System |
| microsoft | windows_10 | 1709 | <built-in method update of dict object at 0x72a9ccf989c0> | Operating System |
| microsoft | windows_10 | 1803 | <built-in method update of dict object at 0x72a9b0d80a80> | Operating System |
| microsoft | windows_10 | 1809 | <built-in method update of dict object at 0x72a9cce768c0> | Operating System |
| microsoft | windows_10 | 1903 | <built-in method update of dict object at 0x72a9b0d82400> | Operating System |
| microsoft | windows_10 | 1909 | <built-in method update of dict object at 0x72a9a0120b40> | Operating System |
| microsoft | windows_10 | 2004 | <built-in method update of dict object at 0x72a9cc52eb00> | Operating System |
| microsoft | windows_8.1 | - | <built-in method update of dict object at 0x72a9cc7b3380> | Operating System |
| microsoft | windows_rt_8.1 | - | <built-in method update of dict object at 0x72a9b0df42c0> | Operating System |
| microsoft | windows_server_2012 | - | <built-in method update of dict object at 0x72a9e41870c0> | Operating System |
| microsoft | windows_server_2012 | r2 | <built-in method update of dict object at 0x72a9cce76100> | Operating System |
| microsoft | windows_server_2016 | - | <built-in method update of dict object at 0x72a9cce77440> | Operating System |
| microsoft | windows_server_2016 | 1903 | <built-in method update of dict object at 0x72a9b0d83e80> | Operating System |
| microsoft | windows_server_2016 | 1909 | <built-in method update of dict object at 0x72a9cd090a80> | Operating System |
| microsoft | windows_server_2016 | 2004 | <built-in method update of dict object at 0x72a9cc52e680> | Operating System |
| microsoft | windows_server_2019 | - | <built-in method update of dict object at 0x72a9b0d80bc0> | Operating System |
| canonical | ubuntu_linux | 14.04 | <built-in method update of dict object at 0x72a9b0d82500> | Operating System |
| canonical | ubuntu_linux | 16.04 | <built-in method update of dict object at 0x72a9cce74e40> | Operating System |
| canonical | ubuntu_linux | 18.04 | <built-in method update of dict object at 0x72a9cdc91a80> | Operating System |
| canonical | ubuntu_linux | 20.04 | <built-in method update of dict object at 0x72a9cce75800> | Operating System |
| debian | debian_linux | 10.0 | <built-in method update of dict object at 0x72a9cce75240> | Operating System |
| opensuse | leap | 15.1 | <built-in method update of dict object at 0x72a9cce76200> | Operating System |
| opensuse | leap | 15.2 | <built-in method update of dict object at 0x72a9b0d813c0> | Operating System |
| suse | suse_linux_enterprise_server | 11 | <built-in method update of dict object at 0x72a9b0d82e00> | Operating System |
| suse | suse_linux_enterprise_server | 12 | <built-in method update of dict object at 0x72a9a01201c0> | Operating System |
| suse | suse_linux_enterprise_server | 15 | <built-in method update of dict object at 0x72a9b0c35900> | Operating System |
| netapp | active_iq_unified_manager | * | <built-in method update of dict object at 0x72a9ccf9afc0> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:suse:suse_linux_enterprise_server:11:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:* |