CVE-2020-15705
Published: 29 July 2020
GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.
From the Ubuntu Security Team
Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2 failed to validate kernel signatures. A local attacker could use this to bypass Secure Boot restrictions.
Notes
| Author | Note |
|---|---|
| alexmurray | grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
grub2 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.02-2ubuntu8.16)
|
| focal |
Released
(2.04-1ubuntu26.1)
|
|
| groovy |
Not vulnerable
(2.04-1ubuntu26.1)
|
|
| hirsute |
Not vulnerable
(2.04-1ubuntu26.1)
|
|
| jammy |
Not vulnerable
(2.06-2ubuntu7)
|
|
| kinetic |
Not vulnerable
(2.06-2ubuntu12)
|
|
| lunar |
Not vulnerable
(2.06-2ubuntu16)
|
|
| mantic |
Not vulnerable
(2.06-2ubuntu18)
|
|
| trusty |
Released
(2.02~beta2-9ubuntu1.20)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.02~beta2-36ubuntu3.26)
|
|
|
grub2-signed Launchpad, Ubuntu, Debian |
bionic |
Released
(1.93.18)
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Released
(1.142.3)
|
|
| groovy |
Not vulnerable
(1.147)
|
|
| hirsute |
Not vulnerable
(1.147)
|
|
| jammy |
Not vulnerable
(1.180)
|
|
| kinetic |
Not vulnerable
(1.185)
|
|
| lunar |
Not vulnerable
(1.192)
|
|
| mantic |
Not vulnerable
(1.193)
|
|
| trusty |
Released
(1.34.22)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.66.26)
|
|
|
grub2-unsigned Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(2.04-1ubuntu47.4)
|
| focal |
Not vulnerable
(2.04-1ubuntu47.4)
|
|
| jammy |
Not vulnerable
(2.06-2ubuntu10)
|
|
| kinetic |
Not vulnerable
(2.06-2ubuntu12)
|
|
| lunar |
Not vulnerable
(2.06-2ubuntu16)
|
|
| mantic |
Not vulnerable
(2.06-2ubuntu17)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.4 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
- https://www.openwall.com/lists/oss-security/2020/07/29/3
- https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
- https://ubuntu.com/security/notices/USN-4432-1
- https://www.cve.org/CVERecord?id=CVE-2020-15705
- NVD
- Launchpad
- Debian