Lucene search

MicrosoftMS:ADV200011

HistoryJul 29, 2020 - 7:00 a.m.

Microsoft Guidance for Addressing Security Feature Bypass in GRUB

2020-07-2907:00:00

Microsoft

msrc.microsoft.com

2262

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

60.5%

JSON

Executive Summary

Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass.

To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.

Microsoft is working to complete validation and compatibility testing of a required Windows Update that addresses this vulnerability. If you are an IT professional and would like to immediately address this vulnerability, please see the mitigation option on installing an un-tested update. When the Windows updates become available, customers will be notified via revision to this advisory. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System.

This vulnerability is detectable via TPM attestation and Defender ATP.

CVEs released for this issue: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707.

Update: March 2, 2021

A new set of similar vulnerabilities has been discovered, documented under: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233.

Update: August 9, 2022

Microsoft has released standalone security update 5012170 to provide protection against the vulnerabilities described in this advisory. See the FAQ section and KB5012170: Security update for Secure Boot DBX: August 9, 2022 for more information about this update.

Background Information

In 2012, Microsoft introduced the Secure Boot feature into the then-new, UEFI-based PC ecosystem. UEFI Secure Boot is an anti-rootkit feature that defends the boot process from untrusted code execution. As part of enabling this feature, Microsoft signs boot code both for Windows and 3rd-parties including Linux distributions. This boot code allows Linux systems to take advantage of Secure Boot.

The GRUB vulnerability provides a way to bypass the UEFI Secure Boot security feature for any system that trusts the Microsoft 3rd-party UEFI signer, which includes many PCs.

Mitigations

See the Mitigations section following theExploitability section.

Recommended Actions

Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.