CVE-2020-15707

Current Description

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.

Basic Data

Published	July 29, 2020
Last Modified	August 04, 2020
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	CWE-362
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access Vector	LOCAL
CVSS 2 - Access Complexity	MEDIUM
CVSS 2 - Authentication	NONE
CVSS 2 - Confidentiality Impact	PARTIAL
CVSS 2 - Availability Impact	PARTIAL
CVSS 2 - Base Score	4.4
Severity	MEDIUM
Exploitability Score	3.4
Impact Score	6.4
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

No data provided.

Configurations

OR - Configuration 1

Cpe Version	Part	Vendor	Product	Version	Update	Edition	Language	SW Edition	Target SW	Target HW	Other	Version Start Including	Version End Including	Version Start Excluding	Version End Excluding
2.3	Application	Gnu	Grub2	*	*	*	*	*	*	*	*		2.04

OR - Configuration 2

Cpe Version	Part	Vendor	Product	Version	Update	Edition	Language	SW Edition	Target SW	Target HW	Other
2.3	Application	Redhat	Enterprise Linux Atomic Host	-	*	*	*	*	*	*	*
2.3	Application	Redhat	Openshift Container Platform	4.0	*	*	*	*	*	*	*
2.3	OS	Canonical	Ubuntu Linux	14.04	*	*	*	esm	*	*	*
2.3	OS	Canonical	Ubuntu Linux	16.04	*	*	*	lts	*	*	*
2.3	OS	Canonical	Ubuntu Linux	18.04	*	*	*	lts	*	*	*
2.3	OS	Canonical	Ubuntu Linux	20.04	*	*	*	lts	*	*	*
2.3	OS	Debian	Debian Linux	10	*	*	*	*	*	*	*
2.3	OS	Redhat	Enterprise Linux	7.0	*	*	*	*	*	*	*
2.3	OS	Redhat	Enterprise Linux	8.0	*	*	*	*	*	*	*
2.3	OS	Suse	Suse Linux Enterprise Server	11	*	*	*	*	*	*	*
2.3	OS	Suse	Suse Linux Enterprise Server	12	*	*	*	*	*	*	*
2.3	OS	Suse	Suse Linux Enterprise Server	15	*	*	*	*	*	*	*

OR - Configuration 3

Cpe Version	Part	Vendor	Product	Version	Update	Edition	Language	SW Edition	Target SW	Target HW	Other
2.3	OS	Microsoft	Windows 10	-	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	1607	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	1709	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	1803	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	1809	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	1903	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	1909	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 10	2004	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows 8.1	-	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Rt 8.1	-	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2012	-	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2012	r2	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2016	-	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2016	1903	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2016	1909	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2016	2004	*	*	*	*	*	*	*
2.3	OS	Microsoft	Windows Server 2019	-	*	*	*	*	*	*	*

Vulnerable Software List

Vendor	Product	Versions
Microsoft	Windows Server 2019	-
Microsoft	Windows Server 2012	-, r2
Microsoft	Windows Server 2016	-, 1903, 1909, 2004
Microsoft	Windows 8.1	-
Microsoft	Windows 10	-, 1607, 1709, 1803, 1809, 1903, 1909, 2004
Microsoft	Windows Rt 8.1	-
Debian	Debian Linux	10
Redhat	Enterprise Linux Atomic Host	-
Redhat	Enterprise Linux	7.0, 8.0
Redhat	Openshift Container Platform	4.0
Canonical	Ubuntu Linux	14.04, 16.04, 18.04, 20.04
Gnu	Grub2	*
Suse	Suse Linux Enterprise Server	11, 12, 15

References

Name	Source	URL	Tags
http://ubuntu.com/security/notices/USN-4432-1	http://ubuntu.com/security/notices/USN-4432-1	UBUNTU	Third Party Advisory
[oss-security] 20200729 multiple secure boot grub2 and linux kernel vulnerabilities	http://www.openwall.com/lists/oss-security/2020/07/29/3	MLIST	Mailing List Third Party Advisory
https://access.redhat.com/security/vulnerabilities/grub2bootloader	https://access.redhat.com/security/vulnerabilities/grub2bootloader	REDHAT	Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html	https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html	CONFIRM	Issue Tracking Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011	CONFIRM	Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0008/	https://security.netapp.com/advisory/ntap-20200731-0008/	CONFIRM	Third Party Advisory
USN-4432-1	https://usn.ubuntu.com/4432-1/	UBUNTU
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass	https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass	UBUNTU	Third Party Advisory
DSA-4735	https://www.debian.org/security/2020/dsa-4735	DEBIAN	Third Party Advisory
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot	https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot	DEBIAN	Third Party Advisory
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/	https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/	CONFIRM	Exploit Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3	https://www.openwall.com/lists/oss-security/2020/07/29/3	CONFIRM	Mailing List Third Party Advisory
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/	https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/	SUSE	Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000019673	https://www.suse.com/support/kb/doc/?id=000019673	SUSE	Third Party Advisory