USN-4432-2: GRUB2 regression

4 August 2020

USN-4432-1 introduced a regression in the GRUB2 bootloader.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

USN-4432-1 fixed vulnerabilities in GRUB2 affecting Secure Boot
environments. Unfortunately, the update introduced regressions for
some BIOS systems (either pre-UEFI or UEFI configured in Legacy mode),
preventing them from successfully booting. This update addresses
the issue.

Users with BIOS systems that installed GRUB2 versions from USN-4432-1
should verify that their GRUB2 installation has a correct understanding
of their boot device location and installed the boot loader correctly.

We apologize for the inconvenience.

Original advisory details:

Jesse Michael and Mickey Shkatov discovered that the configuration parser
in GRUB2 did not properly exit when errors were discovered, resulting in
heap-based buffer overflows. A local attacker could use this to execute
arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)

Chris Coulson discovered that the GRUB2 function handling code did not
properly handle a function being redefined, leading to a use-after-free
vulnerability. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15706)

Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions. (CVE-2020-14309,
CVE-2020-14310, CVE-2020-14311)

It was discovered that the memory allocator for GRUB2 did not validate
allocation size, resulting in multiple integer overflows and heap-based
buffer overflows when handling certain filesystems, PNG images or disk
metadata. A local attacker could use this to execute arbitrary code and
bypass UEFI Secure Boot restrictions. (CVE-2020-14308)

Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2
failed to validate kernel signatures. A local attacker could use this
to bypass Secure Boot restrictions. (CVE-2020-15705)

Colin Watson and Chris Coulson discovered that an integer overflow
existed in GRUB2 when handling the initrd command, leading to a heap-based
buffer overflow. A local attacker could use this to execute arbitrary code
and bypass UEFI Secure Boot restrictions. (CVE-2020-15707)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04
Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.04

Fully mitigating these vulnerabilities requires both an updated
GRUB2 boot loader and the application of a UEFI Revocation
List (dbx) to system firmware. Ubuntu will provide a packaged
dbx update at a later time, though system adminstrators may
choose to apply a third party dbx update before then. For more
details on mitigation steps and the risks entailed (especially for
dual/multi-boot scenarios), please see the Knowledge Base article at
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass