Test ID:	1.3.6.1.4.1.25623.1.1.10.2021.0315
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2021-0315)
Summary:	The remote host is missing an update for the 'grub2' package(s) announced via the MGASA-2021-0315 advisory.
Description:	Summary: The remote host is missing an update for the 'grub2' package(s) announced via the MGASA-2021-0315 advisory. Vulnerability Insight: All CVEs below are against the SecureBoot functionality in GRUB2. We do not ship this as part of Mageia. Therefore, we ship an updated grub2 package to 2.06 for Mageia 8 fixing upstream bugfixes. A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-10713). In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process (CVE-2020-14308). There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data (CVE-2020-14309). There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow (CVE-2020-14310). There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow (CVE-2020-14311). A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'grub2' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2020-10713 CERT/CC vulnerability note: VU#174059 https://www.kb.cert.org/vuls/id/174059 Cisco Security Advisory: 20200804 GRUB2 Arbitrary Code Execution Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-grub2-code-exec-xLePCAPY Debian Security Information: DSA-4735 (Google Search) https://www.debian.org/security/2020/dsa-4735 https://security.gentoo.org/glsa/202104-05 https://cve.openeuler.org/#/CVEInfo/CVE-2020-10713 https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ https://kb.vmware.com/s/article/80181 https://bugzilla.redhat.com/show_bug.cgi?id=1825243 http://www.openwall.com/lists/oss-security/2020/07/29/3 SuSE Security Announcement: openSUSE-SU-2020:1168 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html SuSE Security Announcement: openSUSE-SU-2020:1169 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html https://usn.ubuntu.com/4432-1/ Common Vulnerability Exposure (CVE) ID: CVE-2020-14308 https://bugzilla.redhat.com/show_bug.cgi?id=1852009 http://www.openwall.com/lists/oss-security/2021/09/17/2 http://www.openwall.com/lists/oss-security/2021/09/17/4 http://www.openwall.com/lists/oss-security/2021/09/21/1 Common Vulnerability Exposure (CVE) ID: CVE-2020-14309 https://bugzilla.redhat.com/show_bug.cgi?id=1852022 Common Vulnerability Exposure (CVE) ID: CVE-2020-14310 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310 Common Vulnerability Exposure (CVE) ID: CVE-2020-14311 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14311 Common Vulnerability Exposure (CVE) ID: CVE-2020-14372 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZWZ36QK4IKU6MWDWNOOWKPH3WXZBHT2R/ https://access.redhat.com/security/vulnerabilities/RHSB-2021-003 https://bugzilla.redhat.com/show_bug.cgi?id=1873150 Common Vulnerability Exposure (CVE) ID: CVE-2020-15705 https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ https://www.openwall.com/lists/oss-security/2020/07/29/3 Debian Security Information: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot (Google Search) https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot http://www.openwall.com/lists/oss-security/2021/03/02/3 RedHat Security Advisories: https://access.redhat.com/security/vulnerabilities/grub2bootloader https://access.redhat.com/security/vulnerabilities/grub2bootloader SuSE Security Announcement: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ (Google Search) https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ SuSE Security Announcement: https://www.suse.com/support/kb/doc/?id=000019673 (Google Search) https://www.suse.com/support/kb/doc/?id=000019673 SuSE Security Announcement: openSUSE-SU-2020:1280 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html SuSE Security Announcement: openSUSE-SU-2020:1282 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html http://ubuntu.com/security/notices/USN-4432-1 https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass Common Vulnerability Exposure (CVE) ID: CVE-2020-15706 Common Vulnerability Exposure (CVE) ID: CVE-2020-15707 Common Vulnerability Exposure (CVE) ID: CVE-2020-25632 https://bugzilla.redhat.com/show_bug.cgi?id=1879577 Common Vulnerability Exposure (CVE) ID: CVE-2020-25647 https://bugzilla.redhat.com/show_bug.cgi?id=1886936 Common Vulnerability Exposure (CVE) ID: CVE-2020-27749 https://bugzilla.redhat.com/show_bug.cgi?id=1899966 Common Vulnerability Exposure (CVE) ID: CVE-2020-27779 https://bugzilla.redhat.com/show_bug.cgi?id=1900698 Common Vulnerability Exposure (CVE) ID: CVE-2021-20225 https://bugzilla.redhat.com/show_bug.cgi?id=1924696 Common Vulnerability Exposure (CVE) ID: CVE-2021-20233 https://bugzilla.redhat.com/show_bug.cgi?id=1926263
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.