Bug 1825243 (CVE-2020-10713) - CVE-2020-10713 grub2: Crafted grub.cfg file can lead to arbitrary code execution during boot process
Summary: CVE-2020-10713 grub2: Crafted grub.cfg file can lead to arbitrary code execut...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10713
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1834397 1834398 1834399 1834400 1834401 1834402 1837417 1837418 1837419 1837420 1837422 1837424 1837425 1837426 1837427 1837428 1837429 1837430 1837431 1837432 1837433 1837434 1837435 1837436 1837437 1837438 1837439 1837440 1837441 1837442 1837443 1860101 1860102 1860103 1860105 1860106 1860107 1860108 1860109 1860110 1860111 1860112 1860113 1860114 1860115 1860116 1860117 1860118 1860119 1860120 1860121 1860122 1860123 1860145 1860146 1860147 1860148 1860149 1860150 1860151 1860152 1860153 1860154 1860155 1860514 1860515 1860516 1860517 1863015 1867554 1867555
Blocks: 1822339 1829882
TreeView+ depends on / blocked
 
Reported: 2020-04-17 13:21 UTC by Marco Benatto
Modified: 2023-10-06 19:41 UTC (History)
54 users (show)

Fixed In Version: grub 2.06
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-07-29 19:27:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3216 0 None None None 2020-07-29 18:30:24 UTC
Red Hat Product Errata RHSA-2020:3217 0 None None None 2020-07-29 19:34:03 UTC
Red Hat Product Errata RHSA-2020:3223 0 None None None 2020-07-29 19:37:48 UTC
Red Hat Product Errata RHSA-2020:3227 0 None None None 2020-07-29 20:14:44 UTC
Red Hat Product Errata RHSA-2020:3271 0 None None None 2020-08-03 11:52:28 UTC
Red Hat Product Errata RHSA-2020:3273 0 None None None 2020-08-03 10:57:05 UTC
Red Hat Product Errata RHSA-2020:3274 0 None None None 2020-08-03 12:05:49 UTC
Red Hat Product Errata RHSA-2020:3275 0 None None None 2020-08-03 11:14:01 UTC
Red Hat Product Errata RHSA-2020:3276 0 None None None 2020-08-03 12:02:27 UTC
Red Hat Product Errata RHSA-2020:4115 0 None None None 2020-09-30 10:13:08 UTC
Red Hat Product Errata RHSA-2020:4172 0 None None None 2020-10-05 13:09:42 UTC

Description Marco Benatto 2020-04-17 13:21:03 UTC 
On grub2 up to version 2.04, it's possible to inject code and subvert the boot process via a specially crafted grub configuration file. When grubx64.efi loads the malicious configuration file, the contents of a grub_parser_param structure are overwritten with string contents from the crafted input leading to arbitrary code execution. The boot process can be subverted even with secure boot enabled.
Comment 2 Marco Benatto 2020-04-20 20:30:25 UTC 
Acknowledgments:

Name: Jesse Michael (Eclypsium), Mickey Shkatov (Eclypsium)
Comment 14 Marco Benatto 2020-07-27 14:10:03 UTC 
There's an issue with grub2 package. The grub2 is configured via grub.cfg configuration file, this file itself is composed by several key/values entries and it's parsed when grub2 is loaded. When parsing file grub copies the values into an internal buffer with a predetermined size, however when detecting the string length is bigger than the max buffer size grub2 doesn't abort the execution which may lead to a heap based buffer overflow. An attacker may leverage this flaw but crafting a malicious grub.cfg file (either local or via sftp for netboot) leading to a possible arbitrary code execution during boot stage and possibly by-passing the Secure Boot mechanism if enabled.
Comment 30 Eric Christensen 2020-07-29 14:54:18 UTC 
Mitigation:

There is no mitigation for the flaw.
Comment 32 Marco Benatto 2020-07-29 15:39:44 UTC 
Statement:

Kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 7 and 8 are being updated to contain the new Red Hat certificate for secure boot.
Comment 33 Marco Benatto 2020-07-29 18:14:15 UTC 
External References:

https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
https://www.openwall.com/lists/oss-security/2020/07/29/3
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
Comment 34 errata-xmlrpc 2020-07-29 18:30:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3216 https://access.redhat.com/errata/RHSA-2020:3216
Comment 35 Product Security DevOps Team 2020-07-29 19:27:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10713
Comment 36 errata-xmlrpc 2020-07-29 19:34:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3217 https://access.redhat.com/errata/RHSA-2020:3217
Comment 37 errata-xmlrpc 2020-07-29 19:37:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3223 https://access.redhat.com/errata/RHSA-2020:3223
Comment 38 errata-xmlrpc 2020-07-29 20:14:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3227 https://access.redhat.com/errata/RHSA-2020:3227
Comment 45 errata-xmlrpc 2020-08-03 10:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:3273 https://access.redhat.com/errata/RHSA-2020:3273
Comment 46 errata-xmlrpc 2020-08-03 11:13:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3275 https://access.redhat.com/errata/RHSA-2020:3275
Comment 47 errata-xmlrpc 2020-08-03 11:52:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3271 https://access.redhat.com/errata/RHSA-2020:3271
Comment 48 errata-xmlrpc 2020-08-03 12:02:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:3276 https://access.redhat.com/errata/RHSA-2020:3276
Comment 49 errata-xmlrpc 2020-08-03 12:05:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3274 https://access.redhat.com/errata/RHSA-2020:3274
Comment 54 errata-xmlrpc 2020-09-30 10:13:04 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2020:4115 https://access.redhat.com/errata/RHSA-2020:4115
Comment 55 errata-xmlrpc 2020-10-05 13:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2020:4172 https://access.redhat.com/errata/RHSA-2020:4172
Note You need to log in before you can comment on or make changes to this bug.