CVE-2024-2312

Published: 5 April 2024

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

Notes

Author	Note
eslerm	the grub2 package does not affect Ubuntu's Secure Boot grub2-unsigned contains Secure Boot security fixes grub2 and grub2-unsigned should have same major version Ubuntu Secure Boot and ESM do not cover i386 trusty's GA kernel cannot handle new versions of grub Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus)
mdeslaur	this is fixed in grub2-unsigned (2.12~rc1-10ubuntu4.2) and grub2-signed (1.197.2) in mantic-proposed.

Author

Note

eslerm

the grub2 package does not affect Ubuntu's Secure Boot
grub2-unsigned contains Secure Boot security fixes grub2 and
grub2-unsigned should have same major version Ubuntu Secure Boot
and ESM do not cover i386 trusty's GA kernel cannot handle new
versions of grub Note that key revocation is required to protect
against evil housekeeper attacks (such as BlackLotus)

mdeslaur

this is fixed in grub2-unsigned (2.12~rc1-10ubuntu4.2) and
grub2-signed (1.197.2) in mantic-proposed.

Priority

Cvss 3 Severity Score

6.7

Score breakdown

Status

Package	Release	Status
grub2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (does not affect Secure Boot)
	focal	Not vulnerable (does not affect Secure Boot)
	jammy	Not vulnerable (does not affect Secure Boot)
	mantic	Not vulnerable (does not affect Secure Boot)
	noble	Not vulnerable (does not affect Secure Boot)
	trusty	Ignored (update incompatible with kernel)
	upstream	Needs triage
	xenial	Not vulnerable (does not affect Secure Boot)
grub2-signed Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	mantic	Needed
	noble	Released (1.202)
	trusty	Ignored (update incompatible with kernel)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)
grub2-unsigned Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	mantic	Needed
	noble	Released (2.12-1ubuntu7)
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)

Severity score breakdown

Parameter	Value
Base score	6.7
Attack vector	Local
Attack complexity	Low
Privileges required	High
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›