Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 734654 (CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707) - sys-devel/grub: Multiple vulnerabilities (CVE-2020-{10713,14308,14309,14310,14311,15705,15706,15707})
Summary: sys-devel/grub: Multiple vulnerabilities (CVE-2020-{10713,14308,14309,14310,1...
Status: IN_PROGRESS
Alias: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 3 votes (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A3 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-30 03:44 UTC by Sam James
Modified: 2020-08-03 13:14 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-07-30 03:44:27 UTC
"Hello All,

There are several CVEs both in GRUB2 and the Linux kernel (details
below) that compromise UEFI Secure boot and kernel lockdown.

* These bugs allow unsigned code to be booted and run on hardware
  configured to prevent that.

* Affected vendors will be publishing fixed, re-signed shim, grub and
  kernels to allow systems to continue to boot post-mitigation.
  Details of exactly what is published will vary from vendor to
  vendor.

* The actual mitigation is a UEFI Revocation List update that
  prevents exploitable binaries from loading. This list will be
  available from: https://uefi.org/revocationlistfile soon.  Vendors
  may also include this in an updated release of a dbxtool package.

* In addition to the Microsoft Key Encryption Key (KEK)-signed UEFI
  Revocation List updates, hardware vendors may also issue their own
  updates signed with their own KEKs.  Again, this will vary from
  vendor to vendor.

Exploiting these flaws require a significant level of access to a
system. The flaws would allow, for example, a nefarious kernel to hide
a rootkit or similar to be loaded onto a system that has UEFI Secure
Boot enabled. It is important to note that updating the exploitable
binaries does not in fact mitigate the CVE, since an attacker could
bring an old, exploitable, signed copy of a grub binary onto a system
with whatever kernel they wished to load. In order to mitigate, the
UEFI Revocation List (dbx) must be updated on a system. Once the UEFI
Revocation List is updated on a system, it will no longer boot
binaries that pre-date these fixes. This includes old install media.

Fully mitigating a system against these flaws should be done with the
clear understanding that old kernels and old install media will not
boot on a secure-boot system.

There are two kernel CVEs that are already public: CVE-2019-20908 and
CVE-2020-15780.  In addition there are the following GRUB2 CVEs:

CVE-2020-10713
   8.2/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
   This is the original flaw discovered by Eclypsium, also known as
   "BootHole" and is describe in Eclypsium's paper at
   https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

CVE-2020-14308
   6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
   grub2: grub_malloc does not validate allocation size allowing for
   arithmetic overflow and subsequent heap-based buffer overflow.

CVE-2020-14309
   5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
   grub2: Integer overflow in grub_squash_read_symlink may lead to
   heap based overflow.

CVE-2020-14310
   5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
   grub2: Integer overflow read_section_from_string may lead to heap
   based overflow.

CVE-2020-14311
   5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
   grub2: Integer overflow in grub_ext2_read_link leads to heap based
   buffer overflow.

CVE-2020-15705
   grub: avoid loading unsigned kernels when grub is booted directly
   under secureboot without shim
   6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-15706
   script: Avoid a use-after-free when redefining a function during
   execution
   6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-15707
   grub2: Integer overflow in initrd size handling.
   5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H"