• GRUB 2 vulnerabilities

    From bugz_ubuntu@21:4/110 to Ubuntu Users on Wed Jul 29 20:10:02 2020
    grub2, grub2-signed vulnerabilities

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 20.04 LTS
    * Ubuntu 18.04 LTS
    * Ubuntu 16.04 LTS
    * Ubuntu 14.04 ESM

    Summary

    Several security issues were fixed in GRUB 2.

    Software Description

    * grub2 - GRand Unified Bootloader
    * grub2-signed - GRand Unified Bootloader

    Details

    Jesse Michael and Mickey Shkatov discovered that the configuration
    parser in GRUB2 did not properly exit when errors were discovered,
    resulting in heap-based buffer overflows. A local attacker could
    use this to execute arbitrary code and bypass UEFI Secure Boot
    restrictions. (CVE-2020-10713)

    Chris Coulson discovered that the GRUB2 function handling code did
    not properly handle a function being redefined, leading to a
    use-after-free vulnerability. A local attacker could use this to
    execute arbitrary code and bypass UEFI Secure Boot restrictions.
    (CVE-2020-15706)

    Chris Coulson discovered that multiple integer overflows existed
    in GRUB2 when handling certain filesystems or font files, leading
    to heap-based buffer overflows. A local attacker could use these
    to execute arbitrary code and bypass UEFI Secure Boot
    restrictions. (CVE-2020-14309, CVE-2020-14310, CVE-2020-14311)

    It was discovered that the memory allocator for GRUB2 did not
    validate allocation size, resulting in multiple integer overflows
    and heap-based buffer overflows when handling certain filesystems,
    PNG images or disk metadata. A local attacker could use this to
    execute arbitrary code and bypass UEFI Secure Boot restrictions.
    (CVE-2020-14308)

    Mathieu Trudel-Lapierre discovered that in certain situations,
    GRUB2 failed to validate kernel signatures. A local attacker could
    use this to bypass Secure Boot restrictions. (CVE-2020-15705)

    Colin Watson and Chris Coulson discovered that an integer overflow
    existed in GRUB2 when handling the initrd command, leading to a
    heap-based buffer overflow. A local attacker could use this to
    execute arbitrary code and bypass UEFI Secure Boot restrictions.
    (CVE-2020-15707)

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 20.04 LTS
    grub-efi-amd64-bin - 2.04-1ubuntu26.1
    grub-efi-amd64-signed - 1.142.3+2.04-1ubuntu26.1
    grub-efi-arm-bin - 2.04-1ubuntu26.1
    grub-efi-arm64-bin - 2.04-1ubuntu26.1
    grub-efi-arm64-signed - 1.142.3+2.04-1ubuntu26.1
    grub-efi-ia32-bin - 2.04-1ubuntu26.1

    Ubuntu 18.04 LTS
    grub-efi-amd64-bin - 2.02-2ubuntu8.16
    grub-efi-amd64-signed - 1.93.18+2.02-2ubuntu8.16
    grub-efi-arm-bin - 2.02-2ubuntu8.16
    grub-efi-arm64-bin - 2.02-2ubuntu8.16
    grub-efi-arm64-signed - 1.93.18+2.02-2ubuntu8.16
    grub-efi-ia32-bin - 2.02-2ubuntu8.16
    grub-efi-ia64-bin - 2.02-2ubuntu8.16

    Ubuntu 16.04 LTS
    grub-efi-amd64-bin - 2.02~beta2-36ubuntu3.26
    grub-efi-amd64-signed - 1.66.26+2.02~beta2-36ubuntu3.26
    grub-efi-arm-bin - 2.02~beta2-36ubuntu3.26
    grub-efi-arm64-bin - 2.02~beta2-36ubuntu3.26
    grub-efi-arm64-signed - 1.66.26+2.02~beta2-36ubuntu3.26
    grub-efi-ia32-bin - 2.02~beta2-36ubuntu3.26
    grub-efi-ia64-bin - 2.02~beta2-36ubuntu3.26

    Ubuntu 14.04 ESM
    grub-efi-amd64-bin - 2.02~beta2-9ubuntu1.20
    grub-efi-amd64-signed - 1.34.22+2.02~beta2-9ubuntu1.20
    grub-efi-arm-bin - 2.02~beta2-9ubuntu1.20
    grub-efi-arm64-bin - 2.02~beta2-9ubuntu1.20
    grub-efi-ia32-bin - 2.02~beta2-9ubuntu1.20
    grub-efi-ia64-bin - 2.02~beta2-9ubuntu1.20

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    Fully mitigating these vulnerabilities requires both an updated
    GRUB2 boot loader and the application of a UEFI Revocation List
    (dbx) to system firmware. Ubuntu will provide a packaged dbx
    update at a later time, though system adminstrators may choose to
    apply a third party dbx update before then. For more details on
    mitigation steps and the risks entailed (especially for
    dual/multi-boot scenarios), please see the Knowledge Base article
    at
    https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

    References

    * CVE-2020-10713
    * CVE-2020-14308
    * CVE-2020-14309
    * CVE-2020-14310
    * CVE-2020-14311
    * CVE-2020-15705
    * CVE-2020-15706
    * CVE-2020-15707
    * https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

    --- Mystic BBS v1.12 A45 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)