Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Ubuntu 20.04 LTS: USN-4432-2 Moderate: GRUB2 Bootloader Regression

ubuntu
Calendar Grey August 4, 2020
Dist Ubuntu Esm H88
=========================================================================Ubuntu Security Notice USN-
USN-4432-1 introduced a regression in the GRUB2 bootloader.

Summary

USN-4432-1 introduced a regression in the GRUB2 bootloader.

Software Description:

- grub2: GRand Unified Bootloader

- grub2-signed: GRand Unified Bootloader

Details:

USN-4432-1 fixed vulnerabilities in GRUB2 affecting Secure Boot

environments. Unfortunately, the update introduced regressions for

some BIOS systems (either pre-UEFI or UEFI configured in Legacy mode),

preventing them from successfully booting. This update addresses

the issue.

Users with BIOS systems that installed GRUB2 versions from USN-4432-1

should verify that their GRUB2 installation has a correct understanding

of their boot device location and installed the boot loader correctly.

We apologize for the inconvenience.

Original advisory details:

Jesse Michael and Mickey Shkatov discovered that the configuration parser

in GRUB2 did not properly exit when errors were discovered, resulting in

heap-based buffer overflows. A local attacker could use this to execute

arbitrary code and bypass UEFI Secure Boot res...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
  grub-efi-amd64-bin              2.04-1ubuntu26.2
  grub-efi-amd64-signed           1.142.4+2.04-1ubuntu26.2
  grub-efi-arm-bin                2.04-1ubuntu26.2
  grub-efi-arm64-bin              2.04-1ubuntu26.2
  grub-efi-arm64-signed           1.142.4+2.04-1ubuntu26.2
  grub-efi-ia32-bin               2.04-1ubuntu26.2

Ubuntu 18.04 LTS:
  grub-efi-amd64-bin              2.02-2ubuntu8.17
  grub-efi-amd64-signed           1.93.19+2.02-2ubuntu8.17
  grub-efi-arm-bin                2.02-2ubuntu8.17
  grub-efi-arm64-bin              2.02-2ubuntu8.17
  grub-efi-arm64-signed           1.93.19+2.02-2ubuntu8.17
  grub-efi-ia32-bin               2.02-2ubuntu8.17
  grub-efi-ia64-bin               2.02-2ubuntu8.17

Ubuntu 16.04 LTS:
  grub-efi-amd64-bin              2.02~beta2-36ubuntu3.27
  grub-efi-amd64-signed           1.66.27+2.02~beta2-36ubuntu3.27
  grub-efi-arm-bin                2.02~beta2-36ubuntu3.27
  grub-efi-arm64-bin              2.02~beta2-36ubuntu3.27
  grub-efi-arm64-signed           1.66.27+2.02~beta2-36ubuntu3.27
  grub-efi-ia32-bin               2.02~beta2-36ubuntu3.27
  grub-efi-ia64-bin               2.02~beta2-36ubuntu3.27

Ubuntu 14.04 ESM:
  grub-efi-amd64-bin              2.02~beta2-9ubuntu1.17
  grub-efi-amd64-signed           1.34.20+2.02~beta2-9ubuntu1.17
  grub-efi-arm-bin                2.02~beta2-9ubuntu1.17
  grub-efi-arm64-bin              2.02~beta2-9ubuntu1.17
  grub-efi-ia32-bin               2.02~beta2-9ubuntu1.17
  grub-efi-ia64-bin               2.02~beta2-9ubuntu1.17

Fully mitigating these vulnerabilities requires both an updated
GRUB2 boot loader and the application of a UEFI Revocation
List (dbx) to system firmware. Ubuntu will provide a packaged
dbx update at a later time, though system adminstrators may
choose to apply a third party dbx update before then. For more
details on mitigation steps and the risks entailed (especially for
dual/multi-boot scenarios), please see the Knowledge Base article at
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

References

https://ubuntu.com/security/notices/USN-4432-2

https://ubuntu.com/security/notices/USN-4432-1

https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

August 04, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here