CVE-2020-15707

GRUB2 contained integer overflows when handling the initrd command, leading to a heap-based buffer overflow.

Severity Score

6.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.

Se detectaron desbordamientos de enteros en las funciones grub_cmd_initrd y grub_initrd_init en el componente efilinux de GRUB2, como se incluye en Debian, Red Hat y Ubuntu (la funcionalidad no está incluida aguas arriba de GRUB2), conllevando a un desbordamiento del búfer en la región heap de la memoria. Estos podrían ser activados por una gran cantidad de argumentos para el comando initrd en arquitecturas de 32 bits, o un sistema de archivos diseñado con archivos muy grandes en cualquier arquitectura. Un atacante podría usar esto para ejecutar código arbitrario y omitir las restricciones UEFI Secure Boot. Este problema afecta a GRUB2 versiones 2.04 y versiones anteriores

*Credits: Colin Watson, Chris Coulson

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-07-14 CVE Reserved
2020-07-28 CVE Published
2024-04-30 EPSS Updated
2024-09-17 CVE Updated
2024-09-17 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (19)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2020/07/29/3	Mailing List
https://security.netapp.com/advisory/ntap-20200731-0008	Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3	Mailing List

URL	Date	SRC
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot	2024-09-17

URL	Date	SRC
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011	2021-09-13

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html	2021-09-13
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html	2021-09-13
http://ubuntu.com/security/notices/USN-4432-1	2021-09-13
https://access.redhat.com/security/vulnerabilities/grub2bootloader	2021-09-13
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html	2021-09-13
https://security.gentoo.org/glsa/202104-05	2021-09-13
https://usn.ubuntu.com/4432-1	2021-09-13
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass	2021-09-13
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot	2021-09-13
https://www.debian.org/security/2020/dsa-4735	2021-09-13
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue	2021-09-13
https://www.suse.com/support/kb/doc/?id=000019673	2021-09-13
https://access.redhat.com/security/cve/CVE-2020-15707	2020-08-03
https://bugzilla.redhat.com/show_bug.cgi?id=1861581	2020-08-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Grub2 Search vendor "Gnu" for product "Grub2"				<= 2.04 Search vendor "Gnu" for product "Grub2" and version " <= 2.04"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Atomic Host Search vendor "Redhat" for product "Enterprise Linux Atomic Host"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.0 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1607 Search vendor "Microsoft" for product "Windows 10" and version "1607"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1709 Search vendor "Microsoft" for product "Windows 10" and version "1709"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1803 Search vendor "Microsoft" for product "Windows 10" and version "1803"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1809 Search vendor "Microsoft" for product "Windows 10" and version "1809"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1903 Search vendor "Microsoft" for product "Windows 10" and version "1903"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				1909 Search vendor "Microsoft" for product "Windows 10" and version "1909"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 10 Search vendor "Microsoft" for product "Windows 10"				2004 Search vendor "Microsoft" for product "Windows 10" and version "2004"		-		Affected
Microsoft Search vendor "Microsoft"		Windows 8.1 Search vendor "Microsoft" for product "Windows 8.1"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Rt 8.1 Search vendor "Microsoft" for product "Windows Rt 8.1"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2012 Search vendor "Microsoft" for product "Windows Server 2012"				r2 Search vendor "Microsoft" for product "Windows Server 2012" and version "r2"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				-		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				1903 Search vendor "Microsoft" for product "Windows Server 2016" and version "1903"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				1909 Search vendor "Microsoft" for product "Windows Server 2016" and version "1909"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2016 Search vendor "Microsoft" for product "Windows Server 2016"				2004 Search vendor "Microsoft" for product "Windows Server 2016" and version "2004"		-		Affected
Microsoft Search vendor "Microsoft"		Windows Server 2019 Search vendor "Microsoft" for product "Windows Server 2019"				-		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				20.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Suse Search vendor "Suse"		Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"				11 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "11"		-		Affected
Suse Search vendor "Suse"		Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"				12 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "12"		-		Affected
Suse Search vendor "Suse"		Suse Linux Enterprise Server Search vendor "Suse" for product "Suse Linux Enterprise Server"				15 Search vendor "Suse" for product "Suse Linux Enterprise Server" and version "15"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				>= 9.5 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5"		vmware_vsphere		Affected