Alerts This Week
Warning Icon 1 923
Alerts This Week
Warning Icon 1 923

Mageia 8: MGASA-2021-0315 Moderate: Grub2 Buffer Overflow Risks

mageia
Calendar Grey July 8, 2021
Dist Mageia Esm H88
Revised grub2 module for Mageia fixes significant vulnerabilities affecting Secure Boot and overall system reliability.
All CVEs below are against the SecureBoot functionality in GRUB2

Summary

All CVEs below are against the SecureBoot functionality in GRUB2. We do not ship this as part of Mageia. Therefore, we ship an updated grub2 package to 2.06 for Mageia 8 fixing upstream bugfixes.
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-10713).
In grub2 versions before 2.06 the grub memory...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=27018

- https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

- https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00022.html

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SPZHLZ3UEVV7HQ6ETAHB7NRBRTPLHCNF/

-

- https://ubuntu.com/security/notices/USN-4992-1

- https://www.cve.org/CVERecord?id=CVE-2020-10713

- https://www.cve.org/CVERecord?id=CVE-2020-14308

- https://www.cve.org/CVERecord?id=CVE-2020-14309

- https://www.cve.org/CVERecord?id=CVE-2020-14310

- https://www.cve.org/CVERecord?id=CVE-2020-14311

- https://www.cve.org/CVERecord?id=CVE-2020-14372

- https://www.cve.org/CVERecord?id=CVE-2020-15705

- https://www.cve.org/CVERecord?id=CVE-2020-15706

- https://www.cve.org/CVERecord?id=CVE-2020-15707

- https://www.cve.org/CVERecord?id=CVE-2021-20225

- https://www.cve.org/CVERecord?id=CVE-2021-20233

- https://www.cve.org/CVERecord?id=CVE-2020-25632

- https://www.cve.org/CVERecord?id=CVE-2020-25647

- https://www.cve.org/CVERecord?id=CVE-2020-27749

- https://www.cve.org/CVERecord?id=CVE-2020-27779

Topics%20covered

Topics Covered

security advisory buffer overflow system integrity security flaws Secure Boot grub2 Mageia

Resolution

SRPMS

- 8/core/grub2-2.06-1.1.mga8

Publication date: 08 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0315.html
Type: security
CVE: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-14372, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707, CVE-2021-20225, CVE-2021-20233, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779

Topics%20covered

Topics Covered

security advisory buffer overflow system integrity security flaws Secure Boot grub2 Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here