CVE-2020-14310

Published: 29 July 2020

There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

From the Ubuntu security team

Chris Coulson discovered that multiple integer overflows existed in GRUB2 when handling certain filesystems or font files, leading to heap-based buffer overflows. A local attacker could use these to execute arbitrary code and bypass UEFI Secure Boot restrictions.

Priority

High

CVSS 3 base score: 5.7

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.04-1ubuntu26.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.04-1ubuntu26.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.02-2ubuntu8.16)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.02~beta2-36ubuntu3.26)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.02~beta2-9ubuntu1.20)
grub2-signed
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.147)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.142.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.93.18)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.66.26)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.34.22)