USN-4432-1 introduced a regression in the GRUB2 bootloader.
Software Description:
- grub2: GRand Unified Bootloader
- grub2-signed: GRand Unified Bootloader
Details:
USN-4432-1 fixed vulnerabilities in GRUB2 affecting Secure Boot
environments. Unfortunately, the update introduced regressions for
some BIOS systems (either pre-UEFI or UEFI configured in Legacy mode),
preventing them from successfully booting. This update addresses
the issue.
Users with BIOS systems that installed GRUB2 versions from USN-4432-1
should verify that their GRUB2 installation has a correct understanding
of their boot device location and installed the boot loader correctly.
We apologize for the inconvenience.
Original advisory details:
Jesse Michael and Mickey Shkatov discovered that the configuration parser
in GRUB2 did not properly exit when errors were discovered, resulting in
heap-based buffer overflows. A local attacker could use this to execute
arbitrary code and bypass UEFI Secure Boot res...
The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: grub-efi-amd64-bin 2.04-1ubuntu26.2 grub-efi-amd64-signed 1.142.4+2.04-1ubuntu26.2 grub-efi-arm-bin 2.04-1ubuntu26.2 grub-efi-arm64-bin 2.04-1ubuntu26.2 grub-efi-arm64-signed 1.142.4+2.04-1ubuntu26.2 grub-efi-ia32-bin 2.04-1ubuntu26.2 Ubuntu 18.04 LTS: grub-efi-amd64-bin 2.02-2ubuntu8.17 grub-efi-amd64-signed 1.93.19+2.02-2ubuntu8.17 grub-efi-arm-bin 2.02-2ubuntu8.17 grub-efi-arm64-bin 2.02-2ubuntu8.17 grub-efi-arm64-signed 1.93.19+2.02-2ubuntu8.17 grub-efi-ia32-bin 2.02-2ubuntu8.17 grub-efi-ia64-bin 2.02-2ubuntu8.17 Ubuntu 16.04 LTS: grub-efi-amd64-bin 2.02~beta2-36ubuntu3.27 grub-efi-amd64-signed 1.66.27+2.02~beta2-36ubuntu3.27 grub-efi-arm-bin 2.02~beta2-36ubuntu3.27 grub-efi-arm64-bin 2.02~beta2-36ubuntu3.27 grub-efi-arm64-signed 1.66.27+2.02~beta2-36ubuntu3.27 grub-efi-ia32-bin 2.02~beta2-36ubuntu3.27 grub-efi-ia64-bin 2.02~beta2-36ubuntu3.27 Ubuntu 14.04 ESM: grub-efi-amd64-bin 2.02~beta2-9ubuntu1.17 grub-efi-amd64-signed 1.34.20+2.02~beta2-9ubuntu1.17 grub-efi-arm-bin 2.02~beta2-9ubuntu1.17 grub-efi-arm64-bin 2.02~beta2-9ubuntu1.17 grub-efi-ia32-bin 2.02~beta2-9ubuntu1.17 grub-efi-ia64-bin 2.02~beta2-9ubuntu1.17 Fully mitigating these vulnerabilities requires both an updated GRUB2 boot loader and the application of a UEFI Revocation List (dbx) to system firmware. Ubuntu will provide a packaged dbx update at a later time, though system adminstrators may choose to apply a third party dbx update before then. For more details on mitigation steps and the risks entailed (especially for dual/multi-boot scenarios), please see the Knowledge Base article at https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
https://ubuntu.com/security/notices/USN-4432-2
https://ubuntu.com/security/notices/USN-4432-1
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1889556
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
Get the latest Linux and open source security news straight to your inbox.