Azure Linux 3.0 Security Update: grub2 (CVE-2020-14310)

medium Nessus Plugin ID 241853

Synopsis

The remote Azure Linux host is missing one or more security updates.

Description

The version of grub2 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2020-14310 advisory.

- There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker May leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow. (CVE-2020-14310)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2020-14310

Plugin Details

Severity: Medium

ID: 241853

File Name: azure_linux_CVE-2020-14310.nasl

Version: 1.2

Type: local

Published: 7/11/2025

Updated: 7/11/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Low

Base Score: 3.6

Temporal Score: 2.7

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2020-14310

CVSS v3

Risk Factor: Medium

Base Score: 6

Temporal Score: 5.2

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: x-cpe:/o:microsoft:azure_linux, p-cpe:/a:microsoft:azure_linux:grub2, p-cpe:/a:microsoft:azure_linux:grub2-efi-binary-noprefix, p-cpe:/a:microsoft:azure_linux:grub2-efi-unsigned, p-cpe:/a:microsoft:azure_linux:grub2-efi-binary, p-cpe:/a:microsoft:azure_linux:grub2-efi, p-cpe:/a:microsoft:azure_linux:grub2-pc, p-cpe:/a:microsoft:azure_linux:grub2-tools-minimal, p-cpe:/a:microsoft:azure_linux:grub2-configuration

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/AzureLinux/release, Host/AzureLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 7/29/2020

Reference Information

CVE: CVE-2020-14310

IAVA: 2020-A-0349