Ubuntu 4432-1: GRUB 2 vulnerabilities

    Date 29 Jul 2020
    107
    Posted By LinuxSecurity Advisories
    Several security issues were fixed in GRUB 2.
    ==========================================================================
    Ubuntu Security Notice USN-4432-1
    July 29, 2020
    
    grub2, grub2-signed vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 20.04 LTS
    - Ubuntu 18.04 LTS
    - Ubuntu 16.04 LTS
    - Ubuntu 14.04 ESM
    
    Summary:
    
    Several security issues were fixed in GRUB 2.
    
    Software Description:
    - grub2: GRand Unified Bootloader
    - grub2-signed: GRand Unified Bootloader
    
    Details:
    
    Jesse Michael and Mickey Shkatov discovered that the configuration parser
    in GRUB2 did not properly exit when errors were discovered, resulting in
    heap-based buffer overflows. A local attacker could use this to execute
    arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)
    
    Chris Coulson discovered that the GRUB2 function handling code did not
    properly handle a function being redefined, leading to a use-after-free
    vulnerability. A local attacker could use this to execute arbitrary code
    and bypass UEFI Secure Boot restrictions. (CVE-2020-15706)
    
    Chris Coulson discovered that multiple integer overflows existed in GRUB2
    when handling certain filesystems or font files, leading to heap-based
    buffer overflows. A local attacker could use these to execute arbitrary
    code and bypass UEFI Secure Boot restrictions. (CVE-2020-14309,
    CVE-2020-14310, CVE-2020-14311)
    
    It was discovered that the memory allocator for GRUB2 did not validate
    allocation size, resulting in multiple integer overflows and heap-based
    buffer overflows when handling certain filesystems, PNG images or disk
    metadata. A local attacker could use this to execute arbitrary code and
    bypass UEFI Secure Boot restrictions. (CVE-2020-14308)
    
    Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2
    failed to validate kernel signatures. A local attacker could use this
    to bypass Secure Boot restrictions. (CVE-2020-15705)
    
    Colin Watson and Chris Coulson discovered that an integer overflow
    existed in GRUB2 when handling the initrd command, leading to a heap-based
    buffer overflow. A local attacker could use this to execute arbitrary code
    and bypass UEFI Secure Boot restrictions. (CVE-2020-15707)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 20.04 LTS:
      grub-efi-amd64-bin              2.04-1ubuntu26.1
      grub-efi-amd64-signed           1.142.3+2.04-1ubuntu26.1
      grub-efi-arm-bin                2.04-1ubuntu26.1
      grub-efi-arm64-bin              2.04-1ubuntu26.1
      grub-efi-arm64-signed           1.142.3+2.04-1ubuntu26.1
      grub-efi-ia32-bin               2.04-1ubuntu26.1
    
    Ubuntu 18.04 LTS:
      grub-efi-amd64-bin              2.02-2ubuntu8.16
      grub-efi-amd64-signed           1.93.18+2.02-2ubuntu8.16
      grub-efi-arm-bin                2.02-2ubuntu8.16
      grub-efi-arm64-bin              2.02-2ubuntu8.16
      grub-efi-arm64-signed           1.93.18+2.02-2ubuntu8.16
      grub-efi-ia32-bin               2.02-2ubuntu8.16
      grub-efi-ia64-bin               2.02-2ubuntu8.16
    
    Ubuntu 16.04 LTS:
      grub-efi-amd64-bin              2.02~beta2-36ubuntu3.26
      grub-efi-amd64-signed           1.66.26+2.02~beta2-36ubuntu3.26
      grub-efi-arm-bin                2.02~beta2-36ubuntu3.26
      grub-efi-arm64-bin              2.02~beta2-36ubuntu3.26
      grub-efi-arm64-signed           1.66.26+2.02~beta2-36ubuntu3.26
      grub-efi-ia32-bin               2.02~beta2-36ubuntu3.26
      grub-efi-ia64-bin               2.02~beta2-36ubuntu3.26
    
    Ubuntu 14.04 ESM:
      grub-efi-amd64-bin              2.02~beta2-9ubuntu1.20
      grub-efi-amd64-signed           1.34.22+2.02~beta2-9ubuntu1.20
      grub-efi-arm-bin                2.02~beta2-9ubuntu1.20
      grub-efi-arm64-bin              2.02~beta2-9ubuntu1.20
      grub-efi-ia32-bin               2.02~beta2-9ubuntu1.20
      grub-efi-ia64-bin               2.02~beta2-9ubuntu1.20
    
    Fully mitigating these vulnerabilities requires both an updated
    GRUB2 boot loader and the application of a UEFI Revocation
    List (dbx) to system firmware. Ubuntu will provide a packaged
    dbx update at a later time, though system adminstrators may
    choose to apply a third party dbx update before then. For more
    details on mitigation steps and the risks entailed (especially for
    dual/multi-boot scenarios), please see the Knowledge Base article at
    https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
    
    References:
      https://usn.ubuntu.com/4432-1
      CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310,
      CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707,
      https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
    
    Package Information:
      https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu26.1
      https://launchpad.net/ubuntu/+source/grub2-signed/1.142.3
      https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.16
      https://launchpad.net/ubuntu/+source/grub2-signed/1.93.18
      https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.26
      https://launchpad.net/ubuntu/+source/grub2-signed/1.66.26
    
    

    LinuxSecurity Poll

    Are you planning to use the 1Password password manager now that it is available to Linux users?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/35-are-you-planning-to-use-the-1password-password-manager-now-that-it-is-available-to-linux-users?task=poll.vote&format=json
    35
    radio
    [{"id":"122","title":"Yes","votes":"1","type":"x","order":"1","pct":20,"resources":[]},{"id":"123","title":"No ","votes":"3","type":"x","order":"2","pct":60,"resources":[]},{"id":"124","title":"Not sure at the moment","votes":"1","type":"x","order":"3","pct":20,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.