Description
A flaw was found in grub2, prior to version 2.06. An attacker may use the
GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw
also allows the bypass of Secure Boot protections. In order to load an
untrusted or modified kernel, an attacker would first need to establish
access to the system such as gaining physical access, obtain the ability to
alter a pxe-boot network, or have remote access to a networked system with
root access. With this access, an attacker could then craft a string to
cause a buffer overflow by injecting a malicious payload that leads to
arbitrary code execution within GRUB. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability.
Ubuntu-Description
Jesse Michael and Mickey Shkatov discovered that the configuration
parser in GRUB2 did not properly exit when errors were discovered,
resulting in heap-based buffer overflows. A local attacker could
use this to execute arbitrary code and bypass UEFI Secure Boot
restrictions.
Notes
| amurray | grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low |
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | released
(2.02-2ubuntu8.16)
|
| Ubuntu 20.04 LTS: | released
(2.04-1ubuntu26.1)
|
| Ubuntu 16.04 ESM: | released
(2.02~beta2-36ubuntu3.26)
|
| Ubuntu 14.04 ESM: | released
(2.02~beta2-9ubuntu1.20)
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | released
(1.93.18)
|
| Ubuntu 20.04 LTS: | released
(1.142.3)
|
| Ubuntu 16.04 ESM: | released
(1.66.26)
|
| Ubuntu 14.04 ESM: | released
(1.34.22)
|
Patches:
Updated: 2022-04-13 14:04:04 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)