Windows Security Feature Bypass in Secure Boot (BootHole)

High Nessus Plugin ID 139239

Synopsis

The remote Windows host is affected by multiple vulnerabilities.

Description

The remote Windows host is missing an update to the Secure Boot DBX. It is, therefore, affected by multiple vulnerabilities:

- A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-10713)

- In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process. (CVE-2020-14308)

- GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions. (CVE-2020-15705)

Additionally, the host is affected by several other security feature bypasses in Secure Boot.

Note: Tenable is testing for the presence of the expected signatures added in the DBX update referenced in the vendor advisory.

Solution

Refer to the vendor advisory for guidance.

See Also

http://www.nessus.org/u?6f75665a

http://www.nessus.org/u?840ba26f

Plugin Details

Severity: High

ID: 139239

File Name: windows_uefi_boothole.nbin

Version: 1.3

Type: local

Agent: windows

Family: Windows

Published: 2020/07/31

Updated: 2020/08/04

Dependencies: 34096, 13855

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2020-14308

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Required KB Items: SMB/WMI/Available

Exploit Ease: No known exploits are available

Patch Publication Date: 2020/07/29

Vulnerability Publication Date: 2020/07/29

Reference Information

CVE: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707

IAVA: 2020-A-0349