https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14311

USN-4432-1

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3274 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3271 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3276 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3273 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3275 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the grub2 package has been released.

The remote Windows host is missing an update to the Secure Boot DBX. It is, therefore, affected by multiple vulnerabilities:

  - A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and     tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In     order to load an untrusted or modified kernel, an attacker would first need to establish access to the     system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote     access to a networked system with root access. With this access, an attacker could then craft a string to     cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within     GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as     system availability. (CVE-2020-10713)

  - In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows     on the requested allocation size. This leads the function to return invalid memory allocations which can     be further used to cause possible integrity, confidentiality and availability impacts during the boot     process. (CVE-2020-14308)

  - GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be     bypassed. This only affects systems where the kernel signing certificate has been imported directly into     the secure boot database and the GRUB image is booted directly without the use of shim. This issue     affects GRUB2 version 2.04 and prior versions. (CVE-2020-15705)

Additionally, the host is affected by several other security feature bypasses in Secure Boot.

Note: Tenable is testing for the presence of the expected signatures added in the DBX update referenced in the vendor advisory.

The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3217 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3217 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3216 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3223 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3227 advisory.

  - grub2: Crafted grub.cfg file can lead to arbitrary code     execution during boot process (CVE-2020-10713)

  - grub2: grub_malloc does not validate allocation size     allowing for arithmetic overflow and subsequent heap-     based buffer overflow (CVE-2020-14308)

  - grub2: Integer overflow in grub_squash_read_symlink may     lead to heap-based buffer overflow (CVE-2020-14309)

  - grub2: Integer overflow read_section_as_string may lead     to heap-based buffer overflow (CVE-2020-14310)

  - grub2: Integer overflow in grub_ext2_read_link leads to     heap-based buffer overflow (CVE-2020-14311)

  - grub2: Fail kernel validation without shim protocol     (CVE-2020-15705)

  - grub2: Use-after-free redefining a function whilst the     same function is already executing (CVE-2020-15706)

  - grub2: Integer overflow in initrd size handling     (CVE-2020-15707)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Jesse Michael and Mickey Shkatov discovered that the configuration parser in GRUB2 did not properly exit when errors were discovered, resulting in heap-based buffer overflows. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. (CVE-2020-10713)

Chris Coulson discovered that the GRUB2 function handling code did not properly handle a function being redefined, leading to a use-after-free vulnerability. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
(CVE-2020-15706)

Chris Coulson discovered that multiple integer overflows existed in GRUB2 when handling certain filesystems or font files, leading to heap-based buffer overflows. A local attacker could use these to execute arbitrary code and bypass UEFI Secure Boot restrictions.
(CVE-2020-14309, CVE-2020-14310, CVE-2020-14311)

It was discovered that the memory allocator for GRUB2 did not validate allocation size, resulting in multiple integer overflows and heap-based buffer overflows when handling certain filesystems, PNG images or disk metadata. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
(CVE-2020-14308)

Mathieu Trudel-Lapierre discovered that in certain situations, GRUB2 failed to validate kernel signatures. A local attacker could use this to bypass Secure Boot restrictions. (CVE-2020-15705)

Colin Watson and Chris Coulson discovered that an integer overflow existed in GRUB2 when handling the initrd command, leading to a heap-based buffer overflow. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.
(CVE-2020-15707).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for grub2 fixes the following issues :

Fix for CVE-2020-10713 (bsc#1168994)

Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812)

Fix for CVE-2020-15706 (bsc#1174463)

Fix for CVE-2020-15707 (bsc#1174570)

Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data

Use grub_calloc for overflow check and return NULL when it would occur

Use gcc-9 compiler for overflow check builtins

Backport gcc-9 build fixes

Fix packed-not-aligned error on GCC 8 (bsc#1084632)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for grub2 fixes the following issues :

Fix for CVE-2020-10713 (bsc#1168994)

Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812)

Fix for CVE-2020-15706 (bsc#1174463)

Fix for CVE-2020-15707 (bsc#1174570)

Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data

Use grub_calloc for overflow check and return NULL when it would occur

Use gcc-9 compiler for overflow check builtins

Backport gcc-9 build fixes

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for grub2 fixes the following issues :

CVE-2020-10713 (bsc#1168994)

CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812)

CVE-2020-15706 (bsc#1174463)

CVE-2020-15707 (bsc#1174570)

Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data

Use grub_calloc for overflow check and return NULL when it would occur

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for grub2 fixes the following issues :

Fix for CVE-2020-10713 (bsc#1168994)

Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812)

Fix for CVE-2020-15706 (bsc#1174463)

Fix for CVE-2020-15707 (bsc#1174570)

Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data

Use gcc-9 compiler for overflow check builtins

Backport gcc-9 build fixes

Fix packed-not-aligned error on GCC 8 (bsc#1084632)

Backport gcc-7 build fixes

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for grub2 fixes the following issues :

Fix for CVE-2020-10713 (bsc#1168994)

Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812)

Fix for CVE-2020-15706 (bsc#1174463)

Fix for CVE-2020-15707 (bsc#1174570)

Use overflow checking primitives where the arithmetic expression for buffer

Use grub_calloc for overflow check and return NULL when it would occur

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[2.02-82.0.2.el8_2.1]
- Fix CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707 [Orabug: 31225072]
- Update signing certificate for efi binaries

Description of changes:

[2.02-81.0.3]
- Fix CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707 [Orabug: 31225072]
- Update signing certificate for efi binaries

Several vulnerabilities have been discovered in the GRUB2 bootloader.

  - CVE-2020-10713     A flaw in the grub.cfg parsing code was found allowing     to break UEFI Secure Boot and load arbitrary code.
    Details can be found at     https://www.eclypsium.com/2020/07/29/theres-a-hole-in-th     e-boot/

  - CVE-2020-14308     It was discovered that grub_malloc does not validate the     allocation size allowing for arithmetic overflow and     subsequently a heap-based buffer overflow.

  - CVE-2020-14309     An integer overflow in grub_squash_read_symlink may lead     to a heap based buffer overflow.

  - CVE-2020-14310     An integer overflow in read_section_from_string may lead     to a heap based buffer overflow.

  - CVE-2020-14311     An integer overflow in grub_ext2_read_link may lead to a     heap-based buffer overflow.

  - CVE-2020-15706     script: Avoid a use-after-free when redefining a     function during execution.

  - CVE-2020-15707     An integer overflow flaw was found in the initrd size     handling.

Further detailed information can be found at https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot

ID	Name	Product	Family	Severity
139294	RHEL 7 : grub2 (RHSA-2020:3274)	Nessus	Red Hat Local Security Checks	high
139288	RHEL 7 : grub2 (RHSA-2020:3271)	Nessus	Red Hat Local Security Checks	high
139287	RHEL 7 : grub2 (RHSA-2020:3276)	Nessus	Red Hat Local Security Checks	high
139284	RHEL 7 : grub2 (RHSA-2020:3273)	Nessus	Red Hat Local Security Checks	high
139283	RHEL 7 : grub2 (RHSA-2020:3275)	Nessus	Red Hat Local Security Checks	high
139243	Photon OS 2.0: Grub2 PHSA-2020-2.0-0267	Nessus	PhotonOS Local Security Checks	high
139242	Photon OS 1.0: Grub2 PHSA-2020-1.0-0311	Nessus	PhotonOS Local Security Checks	high
139239	Windows Security Feature Bypass in Secure Boot (BootHole)	Nessus	Windows	high
139236	CentOS 7 : grub2 (CESA-2020:3217)	Nessus	CentOS Local Security Checks	high
139198	RHEL 7 : grub2 (RHSA-2020:3217)	Nessus	Red Hat Local Security Checks	high
139194	RHEL 8 : grub2 (RHSA-2020:3216)	Nessus	Red Hat Local Security Checks	high
139193	RHEL 8 : grub2 (RHSA-2020:3223)	Nessus	Red Hat Local Security Checks	high
139192	RHEL 8 : grub2 (RHSA-2020:3227)	Nessus	Red Hat Local Security Checks	high
139179	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : grub2, grub2-signed vulnerabilities (USN-4432-1)	Nessus	Ubuntu Local Security Checks	high
139178	SUSE SLES12 Security Update : grub2 (SUSE-SU-2020:2079-1)	Nessus	SuSE Local Security Checks	high
139177	SUSE SLES12 Security Update : grub2 (SUSE-SU-2020:2078-1)	Nessus	SuSE Local Security Checks	high
139176	SUSE SLED15 / SLES15 Security Update : grub2 (SUSE-SU-2020:2077-1)	Nessus	SuSE Local Security Checks	high
139175	SUSE SLES12 Security Update : grub2 (SUSE-SU-2020:2076-1)	Nessus	SuSE Local Security Checks	high
139174	SUSE SLED15 / SLES15 Security Update : grub2 (SUSE-SU-2020:2074-1)	Nessus	SuSE Local Security Checks	high
139173	SUSE SLES15 Security Update : grub2 (SUSE-SU-2020:2073-1)	Nessus	SuSE Local Security Checks	high
139165	Oracle Linux 8 : grub2 (ELSA-2020-5786)	Nessus	Oracle Linux Local Security Checks	high
139164	Oracle Linux 7 : grub2 (ELSA-2020-5782)	Nessus	Oracle Linux Local Security Checks	high
139099	Debian DSA-4735-1 : grub2 - security update	Nessus	Debian Local Security Checks	high

CVE-2020-14311

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins