CVE-2020-14308
Published: 29 July 2020
In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process.
From the Ubuntu Security Team
It was discovered that the memory allocator for GRUB2 did not validate allocation size, resulting in multiple integer overflows and heap-based buffer overflows when handling certain filesystems, PNG images or disk metadata. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
Notes
| Author | Note |
|---|---|
| alexmurray | grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
grub2 Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| trusty |
Released
(2.02~beta2-9ubuntu1.20)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| xenial |
Released
(2.02~beta2-36ubuntu3.26)
|
|
| bionic |
Released
(2.02-2ubuntu8.16)
|
|
| focal |
Released
(2.04-1ubuntu26.1)
|
|
| jammy |
Not vulnerable
(2.06-2ubuntu7)
|
|
| kinetic |
Not vulnerable
(2.06-2ubuntu12)
|
|
| lunar |
Not vulnerable
(2.06-2ubuntu16)
|
|
| groovy |
Not vulnerable
(2.04-1ubuntu26.1)
|
|
| hirsute |
Not vulnerable
(2.04-1ubuntu26.1)
|
|
|
grub2-signed Launchpad, Ubuntu, Debian |
trusty |
Released
(1.34.22)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| bionic |
Released
(1.93.18)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Released
(1.142.3)
|
|
| jammy |
Not vulnerable
(1.182~22.04.1)
|
|
| kinetic |
Not vulnerable
(1.185)
|
|
| lunar |
Not vulnerable
(1.192)
|
|
| groovy |
Not vulnerable
(1.147)
|
|
| hirsute |
Not vulnerable
(1.147)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.66.26)
|
|
|
grub2-unsigned Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
| xenial |
Needed
|
|
| bionic |
Released
(2.04-1ubuntu47.4)
|
|
| focal |
Released
(2.04-1ubuntu47.4)
|
|
| jammy |
Not vulnerable
(2.06-2ubuntu7)
|
|
| kinetic |
Not vulnerable
(2.06-2ubuntu12)
|
|
| lunar |
Not vulnerable
(2.06-2ubuntu16)
|
|
| upstream |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.4 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14308
- https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
- https://www.openwall.com/lists/oss-security/2020/07/29/3
- https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
- https://ubuntu.com/security/notices/USN-4432-1
- NVD
- Launchpad
- Debian