Red Hat Bugzilla – Bug 1263195
grub2: Built-in multiboot modules functioning on UEFI allow user to load non-verified code
Last modified: 2015-11-17 04:11:26 EST
A vulnerability in grub2 allowing users to load non-verified code, such as tools to circumvent Secure Boot was reported. The problem raised from introducing this commit:
Multiboot a multiboot2 modules remained built-in, that should not function on UEFI systems, but there is a prevention missing. Non-verified code can be loaded from boot menu if there's no password set, or in the config file if gained root privileges.
For reproducing the issue, see Bug #1262904.
*** This bug has been marked as a duplicate of bug 1264103 ***