USN-4432-1: GRUB 2 vulnerabilities

29 July 2020

Several security issues were fixed in GRUB 2.

Releases

Packages

Details

Jesse Michael and Mickey Shkatov discovered that the configuration parser
in GRUB2 did not properly exit when errors were discovered, resulting in
heap-based buffer overflows. A local attacker could use this to execute
arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)

Chris Coulson discovered that the GRUB2 function handling code did not
properly handle a function being redefined, leading to a use-after-free
vulnerability. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15706)

Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions. (CVE-2020-14309,
CVE-2020-14310, CVE-2020-14311)

It was discovered that the memory allocator for GRUB2 did not validate
allocation size, resulting in multiple integer overflows and heap-based
buffer overflows when handling certain filesystems, PNG images or disk
metadata. A local attacker could use this to execute arbitrary code and
bypass UEFI Secure Boot restrictions. (CVE-2020-14308)

Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2
failed to validate kernel signatures. A local attacker could use this
to bypass Secure Boot restrictions. (CVE-2020-15705)

Colin Watson and Chris Coulson discovered that an integer overflow
existed in GRUB2 when handling the initrd command, leading to a heap-based
buffer overflow. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15707)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04
Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.04

Fully mitigating these vulnerabilities requires both an updated
GRUB2 boot loader and the application of a UEFI Revocation
List (dbx) to system firmware. Ubuntu will provide a packaged
dbx update at a later time, though system adminstrators may
choose to apply a third party dbx update before then. For more
details on mitigation steps and the risks entailed (especially for
dual/multi-boot scenarios), please see the Knowledge Base article at
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass