CVE-2020-15705 Information

Feb 14, 2021 cve

Description

GRUB2 fails to validate kernel signature when booted directly without shim allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html http://ubuntu.com/security/notices/USN-4432-1 http://www.openwall.com/lists/oss-security/2020/07/29/3 https://access.redhat.com/security/vulnerabilities/grub2bootloader https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 https://security.netapp.com/advisory/ntap-20200731-0008/ https://usn.ubuntu.com/4432-1/ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ https://www.openwall.com/lists/oss-security/2020/07/29/3 https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ https://www.suse.com/support/kb/doc/?id=000019673

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.4

Share on: