CVE-2020-15707 - Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efili

CVE-2020-15707

Summary

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.

References

Vulnerable Configurations

cpe:2.3:a:gnu:grub2:-:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:-:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:1.98:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:1.98:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:1.99:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:1.99:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.00:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.00:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.01:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.01:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.02:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.02:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.04:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.04:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:9.5:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:9.5:*:*:*:*:vmware_vsphere:*:*

CVSS

Base:	4.4 (as of 13-09-2021 - 14:25)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:M/Au:N/C:P/I:P/A:P

redhat via4

advisories

bugzilla

id	1861581
title	CVE-2020-15707 grub2: Integer overflow in initrd size handling

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074

AND

comment shim-unsigned-x64 is earlier than 0:15-7.el8
oval oval:com.redhat.rhsa:tst:20203216001
comment shim-unsigned-x64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216002

AND
comment shim-aa64 is earlier than 0:15-14.el8_2
oval oval:com.redhat.rhsa:tst:20203216003
comment shim-aa64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216004
AND
comment shim-ia32 is earlier than 0:15-14.el8_2
oval oval:com.redhat.rhsa:tst:20203216005
comment shim-ia32 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216006
AND
comment shim-x64 is earlier than 0:15-14.el8_2
oval oval:com.redhat.rhsa:tst:20203216007
comment shim-x64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216008
AND
comment fwupd is earlier than 0:1.1.4-7.el8_2
oval oval:com.redhat.rhsa:tst:20203216009
comment fwupd is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183140754

AND

comment fwupd-debugsource is earlier than 0:1.1.4-7.el8_2
oval oval:com.redhat.rhsa:tst:20203216011
comment fwupd-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216012

AND
comment grub2-common is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216013
comment grub2-common is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335002

AND

comment grub2-debugsource is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216015
comment grub2-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335004

AND

comment grub2-efi-aa64 is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216017
comment grub2-efi-aa64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335006

AND

comment grub2-efi-aa64-cdboot is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216019
comment grub2-efi-aa64-cdboot is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335008

AND

comment grub2-efi-aa64-modules is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216021
comment grub2-efi-aa64-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335010

AND

comment grub2-efi-ia32 is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216023
comment grub2-efi-ia32 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335012

AND

comment grub2-efi-ia32-cdboot is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216025
comment grub2-efi-ia32-cdboot is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335014

AND

comment grub2-efi-ia32-modules is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216027
comment grub2-efi-ia32-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335016

AND

comment grub2-efi-x64 is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216029
comment grub2-efi-x64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335018

AND

comment grub2-efi-x64-cdboot is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216031
comment grub2-efi-x64-cdboot is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335020

AND

comment grub2-efi-x64-modules is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216033
comment grub2-efi-x64-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335022

AND
comment grub2-pc is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216035
comment grub2-pc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335024

AND

comment grub2-pc-modules is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216037
comment grub2-pc-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335026

AND

comment grub2-ppc64le is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216039
comment grub2-ppc64le is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335028

AND

comment grub2-ppc64le-modules is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216041
comment grub2-ppc64le-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335030

AND
comment grub2-tools is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216043
comment grub2-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401008

AND

comment grub2-tools-efi is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216045
comment grub2-tools-efi is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335034

AND

comment grub2-tools-extra is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216047
comment grub2-tools-extra is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335036

AND

comment grub2-tools-minimal is earlier than 1:2.02-87.el8_2
oval oval:com.redhat.rhsa:tst:20203216049
comment grub2-tools-minimal is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335038

rhsa

id	RHSA-2020:3216
released	2020-07-29
severity	Moderate
title	RHSA-2020:3216: grub2 security update (Moderate)

bugzilla

id	1861581
title	CVE-2020-15707 grub2: Integer overflow in initrd size handling

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND

comment shim-unsigned-ia32 is earlier than 0:15-7.el7_9
oval oval:com.redhat.rhsa:tst:20203217001
comment shim-unsigned-ia32 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203217002

AND

comment shim-unsigned-x64 is earlier than 0:15-7.el7_9
oval oval:com.redhat.rhsa:tst:20203217003
comment shim-unsigned-x64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216002

AND
comment fwupdate is earlier than 0:12-6.el7_8
oval oval:com.redhat.rhsa:tst:20203217005
comment fwupdate is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183140078
AND
comment fwupdate-devel is earlier than 0:12-6.el7_8
oval oval:com.redhat.rhsa:tst:20203217007
comment fwupdate-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183140080
AND
comment fwupdate-efi is earlier than 0:12-6.el7_8
oval oval:com.redhat.rhsa:tst:20203217009
comment fwupdate-efi is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183140082
AND
comment fwupdate-libs is earlier than 0:12-6.el7_8
oval oval:com.redhat.rhsa:tst:20203217011
comment fwupdate-libs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183140084
AND
comment grub2 is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217013
comment grub2 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401002

AND

comment grub2-common is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217015
comment grub2-common is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335002

AND

comment grub2-efi-aa64-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217017
comment grub2-efi-aa64-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335010

AND

comment grub2-efi-ia32 is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217019
comment grub2-efi-ia32 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335012

AND

comment grub2-efi-ia32-cdboot is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217021
comment grub2-efi-ia32-cdboot is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335014

AND

comment grub2-efi-ia32-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217023
comment grub2-efi-ia32-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335016

AND

comment grub2-efi-x64 is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217025
comment grub2-efi-x64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335018

AND

comment grub2-efi-x64-cdboot is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217027
comment grub2-efi-x64-cdboot is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335020

AND

comment grub2-efi-x64-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217029
comment grub2-efi-x64-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335022

AND
comment grub2-pc is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217031
comment grub2-pc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335024

AND

comment grub2-pc-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217033
comment grub2-pc-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335026

AND

comment grub2-ppc-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217035
comment grub2-ppc-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203217036

AND
comment grub2-ppc64 is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217037
comment grub2-ppc64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203217038

AND

comment grub2-ppc64-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217039
comment grub2-ppc64-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203217040

AND

comment grub2-ppc64le is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217041
comment grub2-ppc64le is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335028

AND

comment grub2-ppc64le-modules is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217043
comment grub2-ppc64le-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335030

AND
comment grub2-tools is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217045
comment grub2-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401008

AND

comment grub2-tools-extra is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217047
comment grub2-tools-extra is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335036

AND

comment grub2-tools-minimal is earlier than 1:2.02-0.86.el7_8
oval oval:com.redhat.rhsa:tst:20203217049
comment grub2-tools-minimal is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20200335038

AND
comment mokutil is earlier than 0:15-7.el7_8
oval oval:com.redhat.rhsa:tst:20203217051
comment mokutil is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20141801002
AND
comment shim-ia32 is earlier than 0:15-7.el7_8
oval oval:com.redhat.rhsa:tst:20203217053
comment shim-ia32 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216006
AND
comment shim-x64 is earlier than 0:15-7.el7_8
oval oval:com.redhat.rhsa:tst:20203217055
comment shim-x64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20203216008

rhsa

id	RHSA-2020:3217
released	2020-07-29
severity	Moderate
title	RHSA-2020:3217: grub2 security and bug fix update (Moderate)

rhsa
id https://access.redhat.com/security/vulnerabilities/grub2bootloader

rpms

fwupd-0:1.1.4-7.el8_2
fwupd-debuginfo-0:1.1.4-7.el8_2
fwupd-debugsource-0:1.1.4-7.el8_2
grub2-common-1:2.02-87.el8_2
grub2-debuginfo-1:2.02-87.el8_2
grub2-debugsource-1:2.02-87.el8_2
grub2-efi-aa64-1:2.02-87.el8_2
grub2-efi-aa64-cdboot-1:2.02-87.el8_2
grub2-efi-aa64-modules-1:2.02-87.el8_2
grub2-efi-ia32-1:2.02-87.el8_2
grub2-efi-ia32-cdboot-1:2.02-87.el8_2
grub2-efi-ia32-modules-1:2.02-87.el8_2
grub2-efi-x64-1:2.02-87.el8_2
grub2-efi-x64-cdboot-1:2.02-87.el8_2
grub2-efi-x64-modules-1:2.02-87.el8_2
grub2-pc-1:2.02-87.el8_2
grub2-pc-modules-1:2.02-87.el8_2
grub2-ppc64le-1:2.02-87.el8_2
grub2-ppc64le-modules-1:2.02-87.el8_2
grub2-tools-1:2.02-87.el8_2
grub2-tools-debuginfo-1:2.02-87.el8_2
grub2-tools-efi-1:2.02-87.el8_2
grub2-tools-efi-debuginfo-1:2.02-87.el8_2
grub2-tools-extra-1:2.02-87.el8_2
grub2-tools-extra-debuginfo-1:2.02-87.el8_2
grub2-tools-minimal-1:2.02-87.el8_2
grub2-tools-minimal-debuginfo-1:2.02-87.el8_2
shim-aa64-0:15-14.el8_2
shim-ia32-0:15-14.el8_2
shim-unsigned-x64-0:15-7.el8
shim-x64-0:15-14.el8_2
fwupdate-0:12-6.el7_8
fwupdate-debuginfo-0:12-6.el7_8
fwupdate-devel-0:12-6.el7_8
fwupdate-efi-0:12-6.el7_8
fwupdate-libs-0:12-6.el7_8
grub2-1:2.02-0.86.el7_8
grub2-common-1:2.02-0.86.el7_8
grub2-debuginfo-1:2.02-0.86.el7_8
grub2-efi-aa64-modules-1:2.02-0.86.el7_8
grub2-efi-ia32-1:2.02-0.86.el7_8
grub2-efi-ia32-cdboot-1:2.02-0.86.el7_8
grub2-efi-ia32-modules-1:2.02-0.86.el7_8
grub2-efi-x64-1:2.02-0.86.el7_8
grub2-efi-x64-cdboot-1:2.02-0.86.el7_8
grub2-efi-x64-modules-1:2.02-0.86.el7_8
grub2-pc-1:2.02-0.86.el7_8
grub2-pc-modules-1:2.02-0.86.el7_8
grub2-ppc-modules-1:2.02-0.86.el7_8
grub2-ppc64-1:2.02-0.86.el7_8
grub2-ppc64-modules-1:2.02-0.86.el7_8
grub2-ppc64le-1:2.02-0.86.el7_8
grub2-ppc64le-modules-1:2.02-0.86.el7_8
grub2-tools-1:2.02-0.86.el7_8
grub2-tools-extra-1:2.02-0.86.el7_8
grub2-tools-minimal-1:2.02-0.86.el7_8
mokutil-0:15-7.el7_8
mokutil-debuginfo-0:15-7.el7_8
shim-ia32-0:15-7.el7_8
shim-unsigned-aa64-debuginfo-0:15-7.el7_9
shim-unsigned-ia32-0:15-7.el7_9
shim-unsigned-ia32-debuginfo-0:15-7.el7_9
shim-unsigned-x64-0:15-7.el7_9
shim-unsigned-x64-debuginfo-0:15-7.el7_9
shim-x64-0:15-7.el7_8
fwupd-0:1.1.4-2.el8_1
fwupd-debuginfo-0:1.1.4-2.el8_1
fwupd-debugsource-0:1.1.4-2.el8_1
grub2-common-1:2.02-87.el8_1
grub2-debuginfo-1:2.02-87.el8_1
grub2-debugsource-1:2.02-87.el8_1
grub2-efi-aa64-1:2.02-87.el8_1
grub2-efi-aa64-cdboot-1:2.02-87.el8_1
grub2-efi-aa64-modules-1:2.02-87.el8_1
grub2-efi-ia32-1:2.02-87.el8_1
grub2-efi-ia32-cdboot-1:2.02-87.el8_1
grub2-efi-ia32-modules-1:2.02-87.el8_1
grub2-efi-x64-1:2.02-87.el8_1
grub2-efi-x64-cdboot-1:2.02-87.el8_1
grub2-efi-x64-modules-1:2.02-87.el8_1
grub2-pc-1:2.02-87.el8_1
grub2-pc-modules-1:2.02-87.el8_1
grub2-ppc64le-1:2.02-87.el8_1
grub2-ppc64le-modules-1:2.02-87.el8_1
grub2-tools-1:2.02-87.el8_1
grub2-tools-debuginfo-1:2.02-87.el8_1
grub2-tools-efi-1:2.02-87.el8_1
grub2-tools-efi-debuginfo-1:2.02-87.el8_1
grub2-tools-extra-1:2.02-87.el8_1
grub2-tools-extra-debuginfo-1:2.02-87.el8_1
grub2-tools-minimal-1:2.02-87.el8_1
grub2-tools-minimal-debuginfo-1:2.02-87.el8_1
shim-aa64-0:15-14.el8_1
shim-ia32-0:15-14.el8_1
shim-unsigned-x64-0:15-7.el8
shim-x64-0:15-14.el8_1
fwupd-0:1.1.4-2.el8_0
fwupd-debuginfo-0:1.1.4-2.el8_0
fwupd-debugsource-0:1.1.4-2.el8_0
grub2-common-1:2.02-87.el8_0
grub2-debuginfo-1:2.02-87.el8_0
grub2-debugsource-1:2.02-87.el8_0
grub2-efi-aa64-modules-1:2.02-87.el8_0
grub2-efi-ia32-1:2.02-87.el8_0
grub2-efi-ia32-cdboot-1:2.02-87.el8_0
grub2-efi-ia32-modules-1:2.02-87.el8_0
grub2-efi-x64-1:2.02-87.el8_0
grub2-efi-x64-cdboot-1:2.02-87.el8_0
grub2-efi-x64-modules-1:2.02-87.el8_0
grub2-pc-1:2.02-87.el8_0
grub2-pc-modules-1:2.02-87.el8_0
grub2-ppc64le-1:2.02-87.el8_0
grub2-ppc64le-modules-1:2.02-87.el8_0
grub2-tools-1:2.02-87.el8_0
grub2-tools-debuginfo-1:2.02-87.el8_0
grub2-tools-efi-1:2.02-87.el8_0
grub2-tools-efi-debuginfo-1:2.02-87.el8_0
grub2-tools-extra-1:2.02-87.el8_0
grub2-tools-extra-debuginfo-1:2.02-87.el8_0
grub2-tools-minimal-1:2.02-87.el8_0
grub2-tools-minimal-debuginfo-1:2.02-87.el8_0
shim-ia32-0:15-14.el8_0
shim-x64-0:15-14.el8_0
fwupdate-0:12-6.el7_6
fwupdate-debuginfo-0:12-6.el7_6
fwupdate-devel-0:12-6.el7_6
fwupdate-efi-0:12-6.el7_6
fwupdate-libs-0:12-6.el7_6
grub2-1:2.02-0.86.el7_6
grub2-common-1:2.02-0.86.el7_6
grub2-debuginfo-1:2.02-0.86.el7_6
grub2-efi-aa64-1:2.02-0.86.el7_6
grub2-efi-aa64-cdboot-1:2.02-0.86.el7_6
grub2-efi-aa64-modules-1:2.02-0.86.el7_6
grub2-efi-ia32-1:2.02-0.86.el7_6
grub2-efi-ia32-cdboot-1:2.02-0.86.el7_6
grub2-efi-ia32-modules-1:2.02-0.86.el7_6
grub2-efi-x64-1:2.02-0.86.el7_6
grub2-efi-x64-cdboot-1:2.02-0.86.el7_6
grub2-efi-x64-modules-1:2.02-0.86.el7_6
grub2-pc-1:2.02-0.86.el7_6
grub2-pc-modules-1:2.02-0.86.el7_6
grub2-ppc-modules-1:2.02-0.86.el7_6
grub2-ppc64-1:2.02-0.86.el7_6
grub2-ppc64-modules-1:2.02-0.86.el7_6
grub2-ppc64le-1:2.02-0.86.el7_6
grub2-ppc64le-modules-1:2.02-0.86.el7_6
grub2-tools-1:2.02-0.86.el7_6
grub2-tools-extra-1:2.02-0.86.el7_6
grub2-tools-minimal-1:2.02-0.86.el7_6
mokutil-0:15-8.el7_6
mokutil-debuginfo-0:15-8.el7_6
shim-aa64-0:15-8.el7_6
shim-ia32-0:15-8.el7_6
shim-unsigned-aa64-0:15-8.el7
shim-unsigned-aa64-debuginfo-0:15-8.el7
shim-unsigned-ia32-0:15-8.el7
shim-unsigned-ia32-debuginfo-0:15-8.el7
shim-unsigned-x64-0:15-8.el7
shim-unsigned-x64-debuginfo-0:15-8.el7
shim-x64-0:15-8.el7_6
fwupdate-0:12-6.el7_7
fwupdate-debuginfo-0:12-6.el7_7
fwupdate-devel-0:12-6.el7_7
fwupdate-efi-0:12-6.el7_7
fwupdate-libs-0:12-6.el7_7
grub2-1:2.02-0.86.el7_7
grub2-common-1:2.02-0.86.el7_7
grub2-debuginfo-1:2.02-0.86.el7_7
grub2-efi-aa64-modules-1:2.02-0.86.el7_7
grub2-efi-ia32-1:2.02-0.86.el7_7
grub2-efi-ia32-cdboot-1:2.02-0.86.el7_7
grub2-efi-ia32-modules-1:2.02-0.86.el7_7
grub2-efi-x64-1:2.02-0.86.el7_7
grub2-efi-x64-cdboot-1:2.02-0.86.el7_7
grub2-efi-x64-modules-1:2.02-0.86.el7_7
grub2-pc-1:2.02-0.86.el7_7
grub2-pc-modules-1:2.02-0.86.el7_7
grub2-ppc-modules-1:2.02-0.86.el7_7
grub2-ppc64-1:2.02-0.86.el7_7
grub2-ppc64-modules-1:2.02-0.86.el7_7
grub2-ppc64le-1:2.02-0.86.el7_7
grub2-ppc64le-modules-1:2.02-0.86.el7_7
grub2-tools-1:2.02-0.86.el7_7
grub2-tools-extra-1:2.02-0.86.el7_7
grub2-tools-minimal-1:2.02-0.86.el7_7
mokutil-0:15-8.el7_7
mokutil-debuginfo-0:15-8.el7_7
shim-ia32-0:15-8.el7_7
shim-unsigned-aa64-debuginfo-0:15-8.el7
shim-unsigned-ia32-0:15-8.el7
shim-unsigned-ia32-debuginfo-0:15-8.el7
shim-unsigned-x64-0:15-8.el7
shim-unsigned-x64-debuginfo-0:15-8.el7
shim-x64-0:15-8.el7_7
fwupdate-0:9-10.el7_4
fwupdate-debuginfo-0:9-10.el7_4
fwupdate-devel-0:9-10.el7_4
fwupdate-efi-0:9-10.el7_4
fwupdate-libs-0:9-10.el7_4
grub2-1:2.02-0.86.el7_4
grub2-common-1:2.02-0.86.el7_4
grub2-debuginfo-1:2.02-0.86.el7_4
grub2-efi-aa64-modules-1:2.02-0.86.el7_4
grub2-efi-ia32-1:2.02-0.86.el7_4
grub2-efi-ia32-cdboot-1:2.02-0.86.el7_4
grub2-efi-ia32-modules-1:2.02-0.86.el7_4
grub2-efi-x64-1:2.02-0.86.el7_4
grub2-efi-x64-cdboot-1:2.02-0.86.el7_4
grub2-efi-x64-modules-1:2.02-0.86.el7_4
grub2-pc-1:2.02-0.86.el7_4
grub2-pc-modules-1:2.02-0.86.el7_4
grub2-ppc-modules-1:2.02-0.86.el7_4
grub2-ppc64-modules-1:2.02-0.86.el7_4
grub2-ppc64le-1:2.02-0.86.el7_4
grub2-ppc64le-modules-1:2.02-0.86.el7_4
grub2-tools-1:2.02-0.86.el7_4
grub2-tools-extra-1:2.02-0.86.el7_4
grub2-tools-minimal-1:2.02-0.86.el7_4
mokutil-0:15-8.el7_4
mokutil-debuginfo-0:15-8.el7_4
shim-ia32-0:15-8.el7_4
shim-unsigned-ia32-0:15-8.el7
shim-unsigned-ia32-debuginfo-0:15-8.el7
shim-unsigned-x64-0:15-8.el7
shim-unsigned-x64-debuginfo-0:15-8.el7
shim-x64-0:15-8.el7_4
grub2-1:2.02-0.86.el7
grub2-common-1:2.02-0.86.el7
grub2-debuginfo-1:2.02-0.86.el7
grub2-efi-aa64-modules-1:2.02-0.86.el7
grub2-efi-ia32-1:2.02-0.86.el7
grub2-efi-ia32-cdboot-1:2.02-0.86.el7
grub2-efi-ia32-modules-1:2.02-0.86.el7
grub2-efi-x64-1:2.02-0.86.el7
grub2-efi-x64-cdboot-1:2.02-0.86.el7
grub2-efi-x64-modules-1:2.02-0.86.el7
grub2-pc-1:2.02-0.86.el7
grub2-pc-modules-1:2.02-0.86.el7
grub2-ppc-modules-1:2.02-0.86.el7
grub2-ppc64-modules-1:2.02-0.86.el7
grub2-ppc64le-1:2.02-0.86.el7
grub2-ppc64le-modules-1:2.02-0.86.el7
grub2-tools-1:2.02-0.86.el7
grub2-tools-extra-1:2.02-0.86.el7
grub2-tools-minimal-1:2.02-0.86.el7
mokutil-0:15-8.el7_3
mokutil-debuginfo-0:15-8.el7_3
shim-0:15-8.el7_3
shim-unsigned-ia32-0:15-8.el7
shim-unsigned-x64-0:15-8.el7

refmap via4

confirm	https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 https://security.netapp.com/advisory/ntap-20200731-0008/ https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ https://www.openwall.com/lists/oss-security/2020/07/29/3
debian	DSA-4735 https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
mlist	[oss-security] 20200729 multiple secure boot grub2 and linux kernel vulnerabilities
suse	https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ https://www.suse.com/support/kb/doc/?id=000019673 openSUSE-SU-2020:1168 openSUSE-SU-2020:1169
ubuntu	USN-4432-1 http://ubuntu.com/security/notices/USN-4432-1 https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

Last major update

13-09-2021 - 14:25

Published

29-07-2020 - 18:15

Last modified

13-09-2021 - 14:25