1. Ubuntu Security Notices
  2. USN-4432-1

USN-4432-1: GRUB 2 vulnerabilities

Publication date

29 July 2020

Overview

Several security issues were fixed in GRUB 2.

Releases

Packages

Details

Jesse Michael and Mickey Shkatov discovered that the configuration parser
in GRUB2 did not properly exit when errors were discovered, resulting in
heap-based buffer overflows. A local attacker could use this to execute
arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)

Chris Coulson discovered that the GRUB2 function handling code did not
properly handle a function being redefined, leading to a use-after-free
vulnerability. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15706)

Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions. (

Jesse Michael and Mickey Shkatov discovered that the configuration parser
in GRUB2 did not properly exit when errors were discovered, resulting in
heap-based buffer overflows. A local attacker could use this to execute
arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)

Chris Coulson discovered that the GRUB2 function handling code did not
properly handle a function being redefined, leading to a use-after-free
vulnerability. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15706)

Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions. (CVE-2020-14309,
CVE-2020-14310, CVE-2020-14311)

It was discovered that the memory allocator for GRUB2 did not validate
allocation size, resulting in multiple integer overflows and heap-based
buffer overflows when handling certain filesystems, PNG images or disk
metadata. A local attacker could use this to execute arbitrary code and
bypass UEFI Secure Boot restrictions. (CVE-2020-14308)

Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2
failed to validate kernel signatures. A local attacker could use this
to bypass Secure Boot restrictions. (CVE-2020-15705)

Colin Watson and Chris Coulson discovered that an integer overflow
existed in GRUB2 when handling the initrd command, leading to a heap-based
buffer overflow. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15707)

Update instructions

Fully mitigating these vulnerabilities requires both an updated GRUB2 boot loader and the application of a UEFI Revocation List (dbx) to system firmware. Ubuntu will provide a packaged dbx update at a later time, though system adminstrators may choose to apply a third party dbx update before then. For more details on mitigation steps and the risks entailed (especially for dual/multi-boot scenarios), please see the Knowledge Base article at https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 focal grub-efi-amd64-bin –  2.04-1ubuntu26.1
grub-efi-amd64-signed –  1.142.3+2.04-1ubuntu26.1
grub-efi-arm-bin –  2.04-1ubuntu26.1
grub-efi-arm64-bin –  2.04-1ubuntu26.1
grub-efi-arm64-signed –  1.142.3+2.04-1ubuntu26.1
grub-efi-ia32-bin –  2.04-1ubuntu26.1
18.04 bionic grub-efi-amd64-bin –  2.02-2ubuntu8.16
grub-efi-amd64-signed –  1.93.18+2.02-2ubuntu8.16
grub-efi-arm-bin –  2.02-2ubuntu8.16
grub-efi-arm64-bin –  2.02-2ubuntu8.16
grub-efi-arm64-signed –  1.93.18+2.02-2ubuntu8.16
grub-efi-ia32-bin –  2.02-2ubuntu8.16
16.04 xenial grub-efi-amd64-bin –  2.02~beta2-36ubuntu3.26
grub-efi-amd64-signed –  1.66.26+2.02~beta2-36ubuntu3.26
grub-efi-arm-bin –  2.02~beta2-36ubuntu3.26
grub-efi-arm64-bin –  2.02~beta2-36ubuntu3.26
grub-efi-arm64-signed –  1.66.26+2.02~beta2-36ubuntu3.26
grub-efi-ia32-bin –  2.02~beta2-36ubuntu3.26
14.04 trusty grub-efi-amd64-bin –  2.02~beta2-9ubuntu1.20  
grub-efi-amd64-signed –  1.34.22+2.02~beta2-9ubuntu1.20  
grub-efi-arm-bin –  2.02~beta2-9ubuntu1.20  
grub-efi-arm64-bin –  2.02~beta2-9ubuntu1.20  
grub-efi-ia32-bin –  2.02~beta2-9ubuntu1.20  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›