A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Se encontró un fallo en grub2 en versiones anteriores a 2.06. Los nombres de las variables presentes se expanden en la línea de comando proporcionada en sus correspondientes contenidos de variables, usando un búfer de la pila de 1kB para el almacenamiento temporal, sin una comprobación suficiente de límites. Si la función es llamada con una línea de comando que hace referencia a una variable con una carga útil suficientemente grande, es posible desbordar el búfer de la pila, corromper la trama de la pila y controlar una ejecución, lo que también podría omitir las protecciones de Secure Boot. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | HIGH |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
AV:L/AC:L/Au:N/C:C/I:C/A:C
| Access Vector | LOCAL |
|---|---|
| Access Complexity | LOW |
| Authentication | NONE |
| Confidentiality Impact | COMPLETE |
| Integrity Impact | COMPLETE |
| Availability Impact | COMPLETE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-121
|
| [email protected] | Secondary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| gnu | grub2 | * | <built-in method update of dict object at 0x72a99868a2c0> | Application |
| redhat | enterprise_linux | 7.0 | <built-in method update of dict object at 0x72a9cc70ebc0> | Operating System |
| redhat | enterprise_linux | 8.0 | <built-in method update of dict object at 0x72a9b0d521c0> | Operating System |
| redhat | enterprise_linux_server_aus | 7.2 | <built-in method update of dict object at 0x72a9a3093240> | Operating System |
| redhat | enterprise_linux_server_aus | 7.3 | <built-in method update of dict object at 0x72a998688c80> | Operating System |
| redhat | enterprise_linux_server_aus | 7.4 | <built-in method update of dict object at 0x72a99868bf40> | Operating System |
| redhat | enterprise_linux_server_aus | 7.6 | <built-in method update of dict object at 0x72a9b0d51600> | Operating System |
| redhat | enterprise_linux_server_aus | 7.7 | <built-in method update of dict object at 0x72a949cf3580> | Operating System |
| redhat | enterprise_linux_server_aus | 8.2 | <built-in method update of dict object at 0x72a9b0d532c0> | Operating System |
| redhat | enterprise_linux_server_eus | 7.6 | <built-in method update of dict object at 0x72a99868b640> | Operating System |
| redhat | enterprise_linux_server_eus | 7.7 | <built-in method update of dict object at 0x72a9a3090e40> | Operating System |
| redhat | enterprise_linux_server_eus | 8.1 | <built-in method update of dict object at 0x72a9cc811300> | Operating System |
| redhat | enterprise_linux_server_tus | 7.4 | <built-in method update of dict object at 0x72a99868b040> | Operating System |
| redhat | enterprise_linux_server_tus | 7.6 | <built-in method update of dict object at 0x72a9b0d506c0> | Operating System |
| redhat | enterprise_linux_server_tus | 7.7 | <built-in method update of dict object at 0x72a9cc8b09c0> | Operating System |
| redhat | enterprise_linux_server_tus | 8.2 | <built-in method update of dict object at 0x72a9990f3840> | Operating System |
| redhat | enterprise_linux_workstation | 7.0 | <built-in method update of dict object at 0x72a9b0cc9d80> | Operating System |
| fedoraproject | fedora | 33 | <built-in method update of dict object at 0x72a9b0ccaac0> | Operating System |
| fedoraproject | fedora | 34 | <built-in method update of dict object at 0x72a9cc811740> | Operating System |
| netapp | ontap_select_deploy_administration_utility | - | <built-in method update of dict object at 0x72a9986891c0> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_eus:8.1:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:* |