CVE-2023-4692
Published: 3 October 2023
An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.
From the Ubuntu Security Team
It was discovered that a specially crafted file system image could cause a heap-based out-of-bounds write. An attacker could potentially use this to perform arbitrary code execution bypass and bypass secure boot protections.
Notes
| Author | Note |
|---|---|
| eslerm | grub2-unsigned contains Secure Boot security fixes the grub2 package unlikely affects Ubuntu's Secure Boot grub2 and grub2-unsigned should have same major version |
| eslerm | Ubuntu Secure Boot and ESM do not cover i386 trusty's GA kernel cannot handle new versions of grub Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus) |
| eslerm | CWE-122 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
grub2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(does not affect Secure Boot)
|
| focal |
Not vulnerable
(does not affect Secure Boot)
|
|
| jammy |
Not vulnerable
(does not affect Secure Boot)
|
|
| lunar |
Not vulnerable
(does not affect Secure Boot)
|
|
| mantic |
Not vulnerable
(does not affect Secure Boot)
|
|
| noble |
Not vulnerable
(does not affect Secure Boot)
|
|
| trusty |
Not vulnerable
(does not affect Secure Boot)
|
|
| upstream |
Released
(2.12~rc1-11)
|
|
| xenial |
Not vulnerable
(does not affect Secure Boot)
|
|
|
grub2-signed Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Released
(1.187.6~20.04.1)
|
|
| jammy |
Released
(1.187.6)
|
|
| lunar |
Released
(1.193.2)
|
|
| mantic |
Released
(1.197)
|
|
| noble |
Released
(1.197)
|
|
| trusty |
Ignored
(update incompatible with kernel)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
grub2-unsigned Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Released
(2.06-2ubuntu14.4)
|
|
| jammy |
Released
(2.06-2ubuntu14.4)
|
|
| lunar |
Released
(2.06-2ubuntu17.2)
|
|
| mantic |
Released
(2.12~rc1-10ubuntu4)
|
|
| noble |
Released
(2.12~rc1-10ubuntu4)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |