Bug 1825243 (CVE-2020-10713)

Summary: CVE-2020-10713 grub2: Crafted grub.cfg file can lead to arbitrary code execution during boot process
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abpalaci, acaringi, bhu, blc, bmasney, bootloader-eng-team, brdeoliv, cperry, dblechte, dfediuck, dhoward, dominik.mierzejewski, dvlasenk, eedri, esammons, fhrbata, fmartine, hannsj_uhl, hkrzesin, iboverma, jlelli, jross, jshortt, jstancek, kcarcia, kernel-mgr, kyoshida, lgoncalv, lkundrak, lszubowi, matt, mbenatto, mcressma, mgoldboi, michal.skrivanek, mlangsdo, mzibrick, nlevy, nmurray, pjones, ptalbert, qzhao, rhughes, rstrode, rt-maint, rvrbovsk, sbonazzo, security-response-team, sherold, walters, williams, ymao, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.06 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-29 19:27:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1834397, 1834398, 1834399, 1834400, 1834401, 1834402, 1837417, 1837418, 1837419, 1837420, 1837422, 1837424, 1837425, 1837426, 1837427, 1837428, 1837429, 1837430, 1837431, 1837432, 1837433, 1837434, 1837435, 1837436, 1837437, 1837438, 1837439, 1837440, 1837441, 1837442, 1837443, 1860101, 1860102, 1860103, 1860105, 1860106, 1860107, 1860108, 1860109, 1860110, 1860111, 1860112, 1860113, 1860114, 1860115, 1860116, 1860117, 1860118, 1860119, 1860120, 1860121, 1860122, 1860123, 1860145, 1860146, 1860147, 1860148, 1860149, 1860150, 1860151, 1860152, 1860153, 1860154, 1860155, 1860514, 1860515, 1860516, 1860517, 1863015, 1867554, 1867555    
Bug Blocks: 1822339, 1829882    

Description Marco Benatto 2020-04-17 13:21:03 UTC 
On grub2 up to version 2.04, it's possible to inject code and subvert the boot process via a specially crafted grub configuration file. When grubx64.efi loads the malicious configuration file, the contents of a grub_parser_param structure are overwritten with string contents from the crafted input leading to arbitrary code execution. The boot process can be subverted even with secure boot enabled.
Comment 2 Marco Benatto 2020-04-20 20:30:25 UTC 
Acknowledgments:

Name: Jesse Michael (Eclypsium), Mickey Shkatov (Eclypsium)
Comment 14 Marco Benatto 2020-07-27 14:10:03 UTC 
There's an issue with grub2 package. The grub2 is configured via grub.cfg configuration file, this file itself is composed by several key/values entries and it's parsed when grub2 is loaded. When parsing file grub copies the values into an internal buffer with a predetermined size, however when detecting the string length is bigger than the max buffer size grub2 doesn't abort the execution which may lead to a heap based buffer overflow. An attacker may leverage this flaw but crafting a malicious grub.cfg file (either local or via sftp for netboot) leading to a possible arbitrary code execution during boot stage and possibly by-passing the Secure Boot mechanism if enabled.
Comment 30 Eric Christensen 2020-07-29 14:54:18 UTC 
Mitigation:

There is no mitigation for the flaw.
Comment 32 Marco Benatto 2020-07-29 15:39:44 UTC 
Statement:

Kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 7 and 8 are being updated to contain the new Red Hat certificate for secure boot.
Comment 33 Marco Benatto 2020-07-29 18:14:15 UTC 
External References:

https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
https://www.openwall.com/lists/oss-security/2020/07/29/3
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Comment 34 errata-xmlrpc 2020-07-29 18:30:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3216 https://access.redhat.com/errata/RHSA-2020:3216
Comment 35 Product Security DevOps Team 2020-07-29 19:27:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10713
Comment 36 errata-xmlrpc 2020-07-29 19:34:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3217 https://access.redhat.com/errata/RHSA-2020:3217
Comment 37 errata-xmlrpc 2020-07-29 19:37:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3223 https://access.redhat.com/errata/RHSA-2020:3223
Comment 38 errata-xmlrpc 2020-07-29 20:14:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3227 https://access.redhat.com/errata/RHSA-2020:3227
Comment 45 errata-xmlrpc 2020-08-03 10:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:3273 https://access.redhat.com/errata/RHSA-2020:3273
Comment 46 errata-xmlrpc 2020-08-03 11:13:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3275 https://access.redhat.com/errata/RHSA-2020:3275
Comment 47 errata-xmlrpc 2020-08-03 11:52:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3271 https://access.redhat.com/errata/RHSA-2020:3271
Comment 48 errata-xmlrpc 2020-08-03 12:02:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:3276 https://access.redhat.com/errata/RHSA-2020:3276
Comment 49 errata-xmlrpc 2020-08-03 12:05:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3274 https://access.redhat.com/errata/RHSA-2020:3274
Comment 54 errata-xmlrpc 2020-09-30 10:13:04 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2020:4115 https://access.redhat.com/errata/RHSA-2020:4115
Comment 55 errata-xmlrpc 2020-10-05 13:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2020:4172 https://access.redhat.com/errata/RHSA-2020:4172