grub2 up to 2.04 on Linux UEFI Secure Boot grub_cmd_initrd/grub_initrd_init Argument race condition

Summaryinfo

A vulnerability classified as critical has been found in grub2 up to 2.04 on Linux. The affected element is the function grub_cmd_initrd/grub_initrd_init of the component UEFI Secure Boot. Performing a manipulation as part of Argument results in race condition. This vulnerability is known as CVE-2020-15707. Attacking locally is a requirement. No exploit is available.

Detailsinfo

A vulnerability classified as critical has been found in grub2 up to 2.04 on Linux. This affects the function grub_cmd_initrd/grub_initrd_init of the component UEFI Secure Boot. The manipulation as part of a Argument leads to a race condition vulnerability. CWE is classifying the issue as CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions.

The weakness was published 07/29/2020 (Website). The advisory is shared at lists.gnu.org. This vulnerability is uniquely identified as CVE-2020-15707 since 07/14/2020. An attack has to be approached locally. The exploitation requires an enhanced level of successful authentication. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 234122 (Oracle Linux 8 : grub2 (ELSA-2025-3367)), which helps to determine the existence of the flaw in a target environment.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at Tenable (234122) and CERT Bund (WID-SEC-2022-0553). Similar entries are available at VDB-159163 and VDB-159164. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Ubuntu Linux
• IBM Security Guardium
• Open Source Grub
• Debian Linux
• Red Hat Enterprise Linux
• Microsoft Windows
• Cisco Identity Services Engine (ISE)
• SUSE Linux
• Cisco Router
• Oracle Linux
• HPE ProLiant
• Gentoo Linux
• Palo Alto Networks PAN-OS
• Avaya Aura Communication Manager
• Avaya Aura Session Manager
• Avaya Aura Application Enablement Services
• Avaya Aura System Manager
• Avaya Web License Manager
• Aruba ArubaOS

Productinfo

Name

• grub2

Version

• 2.04

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion