6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
43.0%
GNU GRUB is a multiboot boot loader used by most Linux systems.
An integer underflow in GRUB’s username/password authentication code has been discovered.
An attacker with access to the system console may bypass the username prompt by entering a sequence of backspace characters, allowing them e.g. to get full access to GRUB’s console or to load a customized kernel.
There is no known workaround at this time.
All GRUB 2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-boot/grub-2.02_beta2-r8"
After upgrading, make sure to run the grub2-install command with options appropriate for your system. See the GRUB2 Quick Start guide in the references below for examples. Your system will be vulnerable until this action is performed.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | sys-boot/grub | < 2.02_beta2-r8 | UNKNOWN |