6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
42.5%
CentOS Errata and Security Advisory CESA-2015:2653
The grub2 packages provide version 2 of the Grand Unified Bootloader
(GRUB), a highly configurable and customizable bootloader with modular
architecture. The packages support a variety of kernel formats, file
systems, computer architectures, and hardware devices.
A flaw was found in the way the grub2 handled backspace characters entered
in username and password prompts. An attacker with access to the system
console could use this flaw to bypass grub2 password protection and gain
administrative access to the system. (CVE-2015-8370)
This update also fixes the following bug:
All grub2 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For this update to take
effect on BIOS-based machines, grub2 needs to be reinstalled as documented
in the “Reinstalling GRUB 2 on BIOS-Based Machines” section of the Red Hat
Enterprise Linux 7 System Administrator’s Guide linked to in the References
section. No manual action is needed on UEFI-based machines.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2015-December/083707.html
Affected packages:
grub2
grub2-efi
grub2-efi-modules
grub2-tools
Upstream details at:
https://access.redhat.com/errata/RHSA-2015:2623
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 7 | x86_64 | grub2 | < 2.02-0.33.el7.centos.1 | grub2-2.02-0.33.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | grub2-efi | < 2.02-0.33.el7.centos.1 | grub2-efi-2.02-0.33.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | grub2-efi-modules | < 2.02-0.33.el7.centos.1 | grub2-efi-modules-2.02-0.33.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | grub2-tools | < 2.02-0.33.el7.centos.1 | grub2-tools-2.02-0.33.el7.centos.1.x86_64.rpm |