CVE-2020-14309
Published: 29 July 2020
There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data.
From the Ubuntu Security Team
Chris Coulson discovered that multiple integer overflows existed in GRUB2 when handling certain filesystems or font files, leading to heap-based buffer overflows. A local attacker could use these to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Notes
| Author | Note |
|---|---|
| alexmurray | grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
grub2 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.02-2ubuntu8.16)
|
| focal |
Released
(2.04-1ubuntu26.1)
|
|
| groovy |
Not vulnerable
(2.04-1ubuntu26.1)
|
|
| hirsute |
Not vulnerable
(2.04-1ubuntu26.1)
|
|
| jammy |
Not vulnerable
(2.06-2ubuntu7)
|
|
| kinetic |
Not vulnerable
(2.06-2ubuntu12)
|
|
| lunar |
Not vulnerable
(2.06-2ubuntu16)
|
|
| mantic |
Not vulnerable
(2.06-2ubuntu18)
|
|
| trusty |
Released
(2.02~beta2-9ubuntu1.20)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.02~beta2-36ubuntu3.26)
|
|
|
grub2-signed Launchpad, Ubuntu, Debian |
bionic |
Released
(1.93.18)
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Released
(1.142.3)
|
|
| groovy |
Not vulnerable
(1.147)
|
|
| hirsute |
Not vulnerable
(1.147)
|
|
| jammy |
Not vulnerable
(1.182~22.04.1)
|
|
| kinetic |
Not vulnerable
(1.185)
|
|
| lunar |
Not vulnerable
(1.192)
|
|
| mantic |
Not vulnerable
(1.193)
|
|
| trusty |
Released
(1.34.22)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.66.26)
|
|
|
grub2-unsigned Launchpad, Ubuntu, Debian |
bionic |
Released
(2.04-1ubuntu47.4)
|
| focal |
Released
(2.04-1ubuntu47.4)
|
|
| jammy |
Not vulnerable
(2.06-2ubuntu7)
|
|
| kinetic |
Not vulnerable
(2.06-2ubuntu12)
|
|
| lunar |
Not vulnerable
(2.06-2ubuntu16)
|
|
| mantic |
Not vulnerable
(2.06-2ubuntu17)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.7 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H |
References
- https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
- https://www.openwall.com/lists/oss-security/2020/07/29/3
- https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
- https://ubuntu.com/security/notices/USN-4432-1
- https://www.cve.org/CVERecord?id=CVE-2020-14309
- NVD
- Launchpad
- Debian