GLSA-201512-03 : GRUB: Authentication bypass
Medium Nessus Plugin ID 87516
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-201512-03 (GRUB: Authentication bypass)
An integer underflow in GRUB’s username/password authentication code has been discovered.
An attacker with access to the system console may bypass the username prompt by entering a sequence of backspace characters, allowing them e.g.
to get full access to GRUB’s console or to load a customized kernel.
There is no known workaround at this time.
SolutionAll GRUB 2.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=sys-boot/grub-2.02_beta2-r8' After upgrading, make sure to run the grub2-install command with options appropriate for your system. See the GRUB2 Quick Start guide in the references below for examples. Your system will be vulnerable until this action is performed.