CVE-2020-14308 – grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2020-14308
In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process. En grub2 versiones anteriores a 2.06, el asignador de memoria grub no comprueba posibles desbordamientos aritméticos en el tamaño de asignación solicitada. Esto conlleva a la función a devolver asignaciones de memoria no válidas que puedan ser usadas para causar posibles impactos de integridad, confidencialidad y disponibilidad durante el proceso de arranque A flaw was found in current grub2 versions as shipped with Red Hat Enterprise Linux 7 and 8, where the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This issue leads the function to return invalid memory allocations, causing heap-based overflows in several code paths. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html http://www.openwall.com/lists/oss-security/2020/07/29/3 http://www.openwall.com/lists/oss-security/2021/09/17/2 http://www.openwall.com/lists/oss-security/2021/09/17/4 http://www.openwall.com/lists/oss-security/2021/09/21/1 https://bugzilla.redhat.com/show_bug.cgi?id=1852009 https://security.gentoo.org/glsa/202104 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVE-2020-14309 – grub2: Integer overflow in grub_squash_read_symlink may lead to heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2020-14309
There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data. Se presenta un problema con grub2 en todas las versiones anteriores a 2.06, cuando se manejan sistemas de archivos squashfs que contienen un enlace simbólico con una longitud de nombre de UINT32 bytes de tamaño. El tamaño del nombre conlleva a un desbordamiento aritmético conllevando a una asignación de tamaño cero, causando un desbordamiento del búfer en la región heap de la memoria con datos controlados por el atacante A flaw was found in grub2. When handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size, the name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html https://bugzilla.redhat.com/show_bug.cgi?id=1852022 https://security.gentoo.org/glsa/202104-05 https://security.netapp.com/advisory/ntap-20200731-0008 https://usn.ubuntu.com/4432-1 https://access.redhat.com/security/cve/CVE-2020-14309 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVE-2020-15707 – GRUB2 contained integer overflows when handling the initrd command, leading to a heap-based buffer overflow.
https://notcve.org/view.php?id=CVE-2020-15707
Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions. Se detectaron desbordamientos de enteros en las funciones grub_cmd_initrd y grub_initrd_init en el componente efilinux de GRUB2, como se incluye en Debian, Red Hat y Ubuntu (la funcionalidad no está incluida aguas arriba de GRUB2), conllevando a un desbordamiento del búfer en la región heap de la memoria. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html http://ubuntu.com/security/notices/USN-4432-1 http://www.openwall.com/lists/oss-security/2020/07/29/3 https://access.redhat.com/security/vulnerabilities/grub2bootloader https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 https://security.gentoo.org/ • CWE-190: Integer Overflow or Wraparound CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2020-14310 – grub2: Integer overflow read_section_as_string may lead to heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2020-14310
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow. Se presenta un problema en grub2 versiones anteriores a 2.06, en la función read_section_as_string(). Se espera que el nombre de la fuente sea una longitud máxima UINT32_MAX - 1 en bytes, pero no lo verifica antes de proceder con la asignación del búfer para leer el valor desde el valor de la fuente. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310 https://security.gentoo.org/glsa/202104-05 https://usn.ubuntu.com/4432-1 https://access.redhat.com/security/cve/CVE-2020-14310 https://bugzilla.redhat.com/show_bug.cgi?id=1852030 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVE-2015-8370 – grub2: buffer overflow when checking password entered during bootup
https://notcve.org/view.php?id=CVE-2015-8370
Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error. Múltiple desbordamiento inferior de entero en Grub2 1.98 hasta la versión 2.02 permite a atacantes físicamente próximos eludir la autenticación, obtener información sensible o causar una denegación de servicio (corrupción de disco) a través del carácter backspace en la función (1) grub_username_get en grub-core/normal/auth.c o (2) grub_password_get en lib/crypto.c, lo que desencadena un error de memoria 'Off-by-two' o 'Out of bounds overwrite'. A flaw was found in the way grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system. • http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173703.html http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174049.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2 • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-264: Permissions, Privileges, and Access Controls CWE-787: Out-of-bounds Write •