GRUB2 Vulnerability – AKA

Lenovo Security Advisory: LEN-34794

Potential Impact: Escalation of privilege

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2020-10713

Summary Description:

Lenovo is aware of a vulnerability in GRUB2, an open source bootloader commonly used by Linux, that could allow Secure Boot security enforcement to be bypassed by an attacker with physical or administrator access and allow unauthorized code execution during the boot process. This vulnerability is referred to by the researchers as Boot Hole.

Lenovo client and server products support Secure Boot. Enabling Secure Boot and using a vulnerable version of GRUB2 will expose products to the Boot Hole vulnerability.

Mitigation Strategy for Customers (what you should do to protect yourself):

The industry approach to addressing this class of issue is to add vulnerable versions of GRUB2 to the Secure Boot “deny” database (dbx) to prevent them from loading when Secure Boot is enabled. However, the industry has identified scenarios where doing so will negatively impact customers and prevent systems from booting, such as when BitLocker is enabled. Lenovo will continue to monitor and provide updated information and fixes, if applicable, as the industry develops a strategy for this issue.

In the interim, Lenovo recommends updating operating systems to use non-vulnerable versions of GRUB2, allowing boot from only authorized devices, and configuring a BIOS Administrator/Supervisor Password to prevent unauthorized boot device changes.

For affected Lenovo software and solutions using GRUB2, please refer to the Product Impact section below.

Product Impact:

· Systems utilizing UEFI Secure Boot

· ThinkAgile CP-Spark Hypervisor Guardian

· ThinkAgile CP-Spark Storage Controller Guardian

· LeTOS (Linux)

· Lenovo Rackswitch NE10032

· Lenovo Rackswitch NE2572

· Lenovo Rackswitch NE0152T

References:

Microsoft: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011&gt;

Eclypsium Blog: https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

UEFI Forum: https://uefi.org/revocationlistfile

Canonical: https://ubuntu.com/security/notices/USN-4432-1

Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot

Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader

SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/

VMware: https://kb.vmware.com/s/article/80181

Revision History:

Revision	Date	Description
1	2020-07-30	Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.