Multiple Vulnerabilities in GRUB2 Could Allow for Complete System Compromise

ITS Advisory Number: 
2020-102 - UPDATED
Date(s) Issued: 
Monday, August 3, 2020
Date Updated: 
Monday, August 3, 2020
Subject: 
Multiple Vulnerabilities in GRUB2 Could Allow for Complete System Compromise
Overview: 

Multiple vulnerabilities have been discovered in GRUB2, the most severe of which could allow for complete system compromise. GRUB2 is a popular Linux bootloader that works with UEFI secure boot. A boot loader is a piece of software that is designed to load and hand over control to the operating system when the system is first turned on. UEFI secure boot is a verification method added to the boot up process used to verify binaries loaded during bootup against a list of known trusted binary files. Successful exploitation of the most severe of theses vulnerabilities could allow for arbitrary code execution and lead to complete compromise of the local system.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • Grub2 versions prior to 2.06
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in GRUB2, the most severe of which could allow for complete compromise of the local system. Details of these vulnerabilities are as follows:

 .

  • A vulnerability exists when parsing grub.cfg that could allow loading of arbitrary code. (CVE-2020-10713)
  • A heap-based buffer overflow vulnerability exists that can impact the integrity, confidentiality, and availability of the local machine. (CVE-2020-14308)
  • Multiple integer buffer overflow vulnerabilities exist. (CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15707)
  • A use-after-free vulnerability exists that could allow for arbitrary code execution. (CVE-2020-15706)

 

Successful exploitation of the most severe of theses vulnerabilities could allow for arbitrary code execution and lead to complete compromise of the local system.

Actions: 

  • After appropriate testing, immediately apply appropriate patches to vulnerable systems.

  • Enforce password complexity, using NIST Special Publication 800-63B, Appendix A as a reference.

  • Enforce physical security to prevent unauthorized access to the local machine.

 

August 3 - UPDATED ACTIONS:

The MS-ISAC has been informed that multiple distributions of Linux have experienced problems after patching GRUB2. We strongly recommend testing any patches before applying them to live systems and making backups before going live with any changes.

References: 

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14310
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14311
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15706

Debian:
https://www.debian.org/security/2020/dsa-4735

NIST:
https://pages.nist.gov/800-63-3/sp800-63b.html#appA

August 3 - UPDATED REFERENCES:
Red Hat:
https://access.redhat.com/solutions/5272311

Office of Information Technology Services

Other Information

Language Access

Register to Vote

Sign up online or download and mail your application. Register Now