Hide Forgot
On grub2 up to version 2.04, it's possible to inject code and subvert the boot process via a specially crafted grub configuration file. When grubx64.efi loads the malicious configuration file, the contents of a grub_parser_param structure are overwritten with string contents from the crafted input leading to arbitrary code execution. The boot process can be subverted even with secure boot enabled.
Acknowledgments: Name: Jesse Michael (Eclypsium), Mickey Shkatov (Eclypsium)
There's an issue with grub2 package. The grub2 is configured via grub.cfg configuration file, this file itself is composed by several key/values entries and it's parsed when grub2 is loaded. When parsing file grub copies the values into an internal buffer with a predetermined size, however when detecting the string length is bigger than the max buffer size grub2 doesn't abort the execution which may lead to a heap based buffer overflow. An attacker may leverage this flaw but crafting a malicious grub.cfg file (either local or via sftp for netboot) leading to a possible arbitrary code execution during boot stage and possibly by-passing the Secure Boot mechanism if enabled.
Mitigation: There is no mitigation for the flaw.
Statement: Kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 7 and 8 are being updated to contain the new Red Hat certificate for secure boot.
External References: https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ https://www.openwall.com/lists/oss-security/2020/07/29/3 https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3216 https://access.redhat.com/errata/RHSA-2020:3216
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10713
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3217 https://access.redhat.com/errata/RHSA-2020:3217
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3223 https://access.redhat.com/errata/RHSA-2020:3223
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3227 https://access.redhat.com/errata/RHSA-2020:3227
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2020:3273 https://access.redhat.com/errata/RHSA-2020:3273
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:3275 https://access.redhat.com/errata/RHSA-2020:3275
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:3271 https://access.redhat.com/errata/RHSA-2020:3271
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2020:3276 https://access.redhat.com/errata/RHSA-2020:3276
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:3274 https://access.redhat.com/errata/RHSA-2020:3274
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2020:4115 https://access.redhat.com/errata/RHSA-2020:4115
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2020:4172 https://access.redhat.com/errata/RHSA-2020:4172