CVE-2020-14310 in Ubuntu

CVE-2020-14310

Priority

Description

There is an issue on grub2 before version 2.06 at function
read_section_as_string(). It expects a font name to be at max UINT32_MAX -
1 length in bytes but it doesn't verify it before proceed with buffer
allocation to read the value from the font value. An attacker may leverage
that by crafting a malicious font file which has a name with UINT32_MAX,
leading to read_section_as_string() to an arithmetic overflow, zero-sized
allocation and further heap-based buffer overflow.

Ubuntu-Description

Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14310
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
https://www.openwall.com/lists/oss-security/2020/07/29/3
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
https://ubuntu.com/security/notices/USN-4432-1

Notes

amurray

grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low

Package

Source: grub2 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	released (2.02-2ubuntu8.16)
Ubuntu 20.04 LTS:	released (2.04-1ubuntu26.1)
Ubuntu 16.04 ESM:	released (2.02~beta2-36ubuntu3.26)
Ubuntu 14.04 ESM:	released (2.02~beta2-9ubuntu1.20)

Patches:

Package

Source: grub2-signed (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	released (1.93.18)
Ubuntu 20.04 LTS:	released (1.142.3)
Ubuntu 16.04 ESM:	released (1.66.26)
Ubuntu 14.04 ESM:	released (1.34.22)

Patches:

More Information

Updated: 2022-04-13 14:09:04 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)