Your submission was sent successfully! Close

CVE-2020-15705

Published: 29 July 2020

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

From the Ubuntu security team

Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2 failed to validate kernel signatures. A local attacker could use this to bypass Secure Boot restrictions.

Priority

Medium

CVSS 3 base score: 6.4

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
bionic
Released (2.02-2ubuntu8.16)
focal
Released (2.04-1ubuntu26.1)
groovy Not vulnerable
(2.04-1ubuntu26.1)
hirsute Not vulnerable
(2.04-1ubuntu26.1)
precise Ignored
(end of ESM support, was needed)
trusty
Released (2.02~beta2-9ubuntu1.20)
upstream Needs triage

xenial
Released (2.02~beta2-36ubuntu3.26)
grub2-signed
Launchpad, Ubuntu, Debian
bionic
Released (1.93.18)
eoan Ignored
(reached end-of-life)
focal
Released (1.142.3)
groovy Not vulnerable
(1.147)
hirsute Not vulnerable
(1.147)
precise Does not exist

trusty
Released (1.34.22)
upstream Needs triage

xenial
Released (1.66.26)