Linux Security
    Linux Security
    Linux Security

    Ubuntu 4432-2: GRUB2 regression

    Date
    266
    Posted By
    USN-4432-1 introduced a regression in the GRUB2 bootloader.
    ==========================================================================
    Ubuntu Security Notice USN-4432-2
    August 04, 2020
    
    grub2, grub2-signed regression
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 20.04 LTS
    - Ubuntu 18.04 LTS
    - Ubuntu 16.04 LTS
    - Ubuntu 14.04 ESM
    
    Summary:
    
    USN-4432-1 introduced a regression in the GRUB2 bootloader.
    
    Software Description:
    - grub2: GRand Unified Bootloader
    - grub2-signed: GRand Unified Bootloader
    
    Details:
    
    USN-4432-1 fixed vulnerabilities in GRUB2 affecting Secure Boot
    environments. Unfortunately, the update introduced regressions for
    some BIOS systems (either pre-UEFI or UEFI configured in Legacy mode),
    preventing them from successfully booting. This update addresses
    the issue.
    
    Users with BIOS systems that installed GRUB2 versions from USN-4432-1
    should verify that their GRUB2 installation has a correct understanding
    of their boot device location and installed the boot loader correctly.
    
    We apologize for the inconvenience.
    
    Original advisory details:
    
     Jesse Michael and Mickey Shkatov discovered that the configuration parser
     in GRUB2 did not properly exit when errors were discovered, resulting in
     heap-based buffer overflows. A local attacker could use this to execute
     arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)
    
     Chris Coulson discovered that the GRUB2 function handling code did not
     properly handle a function being redefined, leading to a use-after-free
     vulnerability. A local attacker could use this to execute arbitrary code
     and bypass UEFI Secure Boot restrictions. (CVE-2020-15706)
    
     Chris Coulson discovered that multiple integer overflows existed in GRUB2
     when handling certain filesystems or font files, leading to heap-based
     buffer overflows. A local attacker could use these to execute arbitrary
     code and bypass UEFI Secure Boot restrictions. (CVE-2020-14309,
     CVE-2020-14310, CVE-2020-14311)
    
     It was discovered that the memory allocator for GRUB2 did not validate
     allocation size, resulting in multiple integer overflows and heap-based
     buffer overflows when handling certain filesystems, PNG images or disk
     metadata. A local attacker could use this to execute arbitrary code and
     bypass UEFI Secure Boot restrictions. (CVE-2020-14308)
    
     Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2
     failed to validate kernel signatures. A local attacker could use this
     to bypass Secure Boot restrictions. (CVE-2020-15705)
    
     Colin Watson and Chris Coulson discovered that an integer overflow
     existed in GRUB2 when handling the initrd command, leading to a heap-based
     buffer overflow. A local attacker could use this to execute arbitrary code
     and bypass UEFI Secure Boot restrictions. (CVE-2020-15707)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 20.04 LTS:
      grub-efi-amd64-bin              2.04-1ubuntu26.2
      grub-efi-amd64-signed           1.142.4+2.04-1ubuntu26.2
      grub-efi-arm-bin                2.04-1ubuntu26.2
      grub-efi-arm64-bin              2.04-1ubuntu26.2
      grub-efi-arm64-signed           1.142.4+2.04-1ubuntu26.2
      grub-efi-ia32-bin               2.04-1ubuntu26.2
    
    Ubuntu 18.04 LTS:
      grub-efi-amd64-bin              2.02-2ubuntu8.17
      grub-efi-amd64-signed           1.93.19+2.02-2ubuntu8.17
      grub-efi-arm-bin                2.02-2ubuntu8.17
      grub-efi-arm64-bin              2.02-2ubuntu8.17
      grub-efi-arm64-signed           1.93.19+2.02-2ubuntu8.17
      grub-efi-ia32-bin               2.02-2ubuntu8.17
      grub-efi-ia64-bin               2.02-2ubuntu8.17
    
    Ubuntu 16.04 LTS:
      grub-efi-amd64-bin              2.02~beta2-36ubuntu3.27
      grub-efi-amd64-signed           1.66.27+2.02~beta2-36ubuntu3.27
      grub-efi-arm-bin                2.02~beta2-36ubuntu3.27
      grub-efi-arm64-bin              2.02~beta2-36ubuntu3.27
      grub-efi-arm64-signed           1.66.27+2.02~beta2-36ubuntu3.27
      grub-efi-ia32-bin               2.02~beta2-36ubuntu3.27
      grub-efi-ia64-bin               2.02~beta2-36ubuntu3.27
    
    Ubuntu 14.04 ESM:
      grub-efi-amd64-bin              2.02~beta2-9ubuntu1.17
      grub-efi-amd64-signed           1.34.20+2.02~beta2-9ubuntu1.17
      grub-efi-arm-bin                2.02~beta2-9ubuntu1.17
      grub-efi-arm64-bin              2.02~beta2-9ubuntu1.17
      grub-efi-ia32-bin               2.02~beta2-9ubuntu1.17
      grub-efi-ia64-bin               2.02~beta2-9ubuntu1.17
    
    Fully mitigating these vulnerabilities requires both an updated
    GRUB2 boot loader and the application of a UEFI Revocation
    List (dbx) to system firmware. Ubuntu will provide a packaged
    dbx update at a later time, though system adminstrators may
    choose to apply a third party dbx update before then. For more
    details on mitigation steps and the risks entailed (especially for
    dual/multi-boot scenarios), please see the Knowledge Base article at
    https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
    
    References:
      https://usn.ubuntu.com/4432-2
      https://usn.ubuntu.com/4432-1
      https://launchpad.net/bugs/1889556
      https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
    
    Package Information:
      https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu26.2
      https://launchpad.net/ubuntu/+source/grub2-signed/1.142.4
      https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.17
      https://launchpad.net/ubuntu/+source/grub2-signed/1.93.19
      https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.27
      https://launchpad.net/ubuntu/+source/grub2-signed/1.66.27
    

    Advisories

    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/37-how-are-you-contributing-to-open-source?task=poll.vote&format=json
    37
    radio
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"2","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.