[ASA-202106-43] grub: multiple issues

Jonas Witschel diabonas at archlinux.org
Fri Jun 18 15:49:16 UTC 2021

Arch Linux Security Advisory ASA-202106-43

Severity: Medium
Date    : 2021-06-15
CVE-ID  : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749
          CVE-2020-27779 CVE-2021-20225 CVE-2021-20233
Package : grub
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1629


The package grub before version 2:2.06-1 is vulnerable to multiple
issues including access restriction bypass and arbitrary code


Upgrade to 2:2.06-1.

# pacman -Syu "grub>=2:2.06-1"

The problems have been fixed upstream in version 2.06.




- CVE-2020-14372 (arbitrary code execution)

GRUB2 enables the use of the command acpi even when secure boot is
signaled by the firmware. An attacker with local root privileges can
drop a small SSDT in /boot/efi and modify grub.cfg to instruct grub to
load said SSDT. The SSDT then gets run by the kernel and it overwrites
the kernel lockdown configuration enabling the attacker to load
unsigned kernel modules and kexec unsigned code.

- CVE-2020-25632 (arbitrary code execution)

The rmmod implementation for grub2 is flawed, allowing an attacker to
unload a module used as a dependency without checking if any other
dependent module is still loaded. This leads to a use-after-free
scenario possibly allowing an attacker to execute arbitrary code and
by-pass Secure Boot protections.

- CVE-2020-25647 (arbitrary code execution)

grub_usb_device_initialize() is called to handle USB device
initialization. It reads out the descriptors it needs from the USB
device and uses that data to fill in some USB data structures.
grub_usb_device_initialize() performs very little bounds checking and
simply assumes the USB device provides sane values. This behavior can
trigger memory corruption. If properly exploited, this would lead to
arbitrary code execution allowing the attacker to bypass the Secure
Boot mechanism.

- CVE-2020-27749 (arbitrary code execution)

grub_parser_split_cmdline() expands variable names present in the
supplied command line in to their corresponding variable contents and
uses a 1kB stack buffer for temporary storage without sufficient bounds
checking. If the function is called with a command line that references
a variable with a sufficiently large payload, it is possible to
overflow the stack buffer, corrupt the stack frame and control
execution. An attacker may use this to circumvent Secure Boot

- CVE-2020-27779 (access restriction bypass)

The GRUB2's cutmem command does not honor Secure Boot locking. This
allows an privileged attacker to remove address ranges from memory
creating an opportunity to circumvent Secure Boot protections after
proper triage of grub's memory layout.

- CVE-2021-20225 (arbitrary code execution)

The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.

- CVE-2021-20233 (arbitrary code execution)

There's a flaw in GRUB2 menu rendering code setparam_prefix() in the
menu rendering code. It performs a length calculation under the
assumption that expressing a quoted single quote will require 3
characters, while it actually requires 4 characters. This allow an
attacker to corrupt memory by one byte for each quote in the input.


When secure boot is enabled, complete subversion of the integrity
prospects can be achieved through malicious use of existing commands,
side-loaded modules, command acpi, rmmod, variable referencing and
option parsers.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210618/0c6e6c0d/attachment.sig>

More information about the arch-security mailing list