Bug 1879577 (CVE-2020-25632)

Summary: CVE-2020-25632 grub2: Use-after-free in rmmod command
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bootloader-eng-team, fmartine, lkundrak, pjanda, pjones, rhughes, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.06 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-03 01:01:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1913879, 1913880, 1913881, 1913882, 1913883, 1913884, 1913885, 1913886, 1913887, 1913888, 1913889, 1932522, 1932523, 1932525, 1932526, 1932527, 1932528, 1932529, 1932530, 1932531, 1932532, 1932533, 1932534, 1932535, 1932536, 1932538, 1932539, 1932540, 1932541, 1932542, 1932543, 1932544, 1932545, 1932546, 1932547, 1932548, 1932549, 1932550, 1932551, 1932552, 1932553, 1932885, 1932886, 1934246, 1989593, 1989606, 1989607, 1989609, 1989611, 1989745    
Bug Blocks: 1899965    

Description Marco Benatto 2020-09-16 14:36:10 UTC 
The rmmod implementation for grub2 is flawed, allowing an attacker to unload a module used as dependency without checking if any other dependent module is still loaded. This leads to an use-after-free scenario possibly allowing an attacker to execute arbitrary code and by-pass Secure Boot protections.
Comment 6 Marco Benatto 2021-02-25 15:30:06 UTC 
Marking fwupdate as WONTFIX for all rhel8 streams. This package was made obsolete and replaced by fwupd.
Comment 7 Marco Benatto 2021-03-02 18:39:19 UTC 
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 1934246]
Comment 8 errata-xmlrpc 2021-03-02 19:16:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0698 https://access.redhat.com/errata/RHSA-2021:0698
Comment 9 errata-xmlrpc 2021-03-02 19:21:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0696 https://access.redhat.com/errata/RHSA-2021:0696
Comment 10 errata-xmlrpc 2021-03-02 19:25:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0697 https://access.redhat.com/errata/RHSA-2021:0697
Comment 11 errata-xmlrpc 2021-03-02 19:36:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0703 https://access.redhat.com/errata/RHSA-2021:0703
Comment 12 errata-xmlrpc 2021-03-02 19:53:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:0704 https://access.redhat.com/errata/RHSA-2021:0704
Comment 13 errata-xmlrpc 2021-03-02 20:09:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0702 https://access.redhat.com/errata/RHSA-2021:0702
Comment 14 errata-xmlrpc 2021-03-02 20:47:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0699 https://access.redhat.com/errata/RHSA-2021:0699
Comment 15 errata-xmlrpc 2021-03-02 20:50:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0700 https://access.redhat.com/errata/RHSA-2021:0700
Comment 16 errata-xmlrpc 2021-03-02 21:01:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0701 https://access.redhat.com/errata/RHSA-2021:0701
Comment 17 Product Security DevOps Team 2021-03-03 01:01:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25632
Comment 18 errata-xmlrpc 2021-05-18 14:37:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1734 https://access.redhat.com/errata/RHSA-2021:1734
Comment 19 errata-xmlrpc 2021-06-29 16:26:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2566 https://access.redhat.com/errata/RHSA-2021:2566
Comment 20 errata-xmlrpc 2021-07-20 22:09:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2790 https://access.redhat.com/errata/RHSA-2021:2790
Comment 21 errata-xmlrpc 2021-09-28 14:34:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3675 https://access.redhat.com/errata/RHSA-2021:3675