Advisory ROSA-SA-2021-1849

Software: grub2 2.02
OS: Cobalt 7.9

CVE-ID: CVE-2020-15706
CVE-Crit: MEDIUM
CVE-DESC: GRUB2 contains a race condition in grub_script_function_create () leading to a post-release exploitation vulnerability that can be triggered by overriding a function when the same function is already executing, leading to arbitrary code execution and safe bypass of the boot restriction. This issue affects GRUB2 version 2.04 and earlier.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-15707
CVE-Crit: MEDIUM
CVE-DESC: Integer overflows were found in the grub_cmd_initrd and grub_initrd_init functions in the efilinux component of GRUB2 shipped in Debian, Red Hat, and Ubuntu (functionality not included in the GRUB2 source stream), resulting in heap-based buffer overflows. . These can be caused by extremely large initrd command arguments in 32-bit architectures or a crafted filesystem with very large files in any architecture. An attacker can use this to execute arbitrary code and bypass UEFI secure boot restrictions. This issue affects GRUB2 version 2.04 and earlier.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2020-14372
CVE-Crit: HIGH
CVE-DESC: A bug was discovered in grub2 in versions prior to 2.06 where it incorrectly allows the use of the ACPI command when secure boot is enabled. This flaw allows an attacker with privileged access to create a secondary system description table (SSDT) containing code to overwrite the contents of the Linux kernel lock variable directly into memory. The table is then loaded and executed by the kernel, overcoming the secure boot lock and allowing the attacker to load unsigned code. The biggest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25632.
CVE-Crit: HIGH
CVE-DESC: a bug was discovered in grub2 in versions before 2.06. The rmmod implementation allows a module used as a dependency to be unloaded without checking if any other dependency module is still loaded, leading to a post-release usage scenario. This could allow arbitrary code to be executed or bypass Secure Boot protection. The biggest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2020-25647
CVE-Crit: HIGH
CVE-DESC: a bug was discovered in grub2 in versions before 2.06. During USB device initialization, descriptors are read with very little bounds checking and it is assumed that the USB device provides reasonable values. If properly exploited, an attacker could cause memory corruption, resulting in the execution of arbitrary code to bypass the secure boot mechanism. The greatest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-27749
CVE-Crit: MEDIUM
CVE-DESC: a bug was discovered in grub2 in versions prior to 2.06. Present variable names are expanded on the provided command line to the corresponding variable contents using a 1 KB stack buffer for temporary storage without sufficient bounds checking. If a function is called using a command line that references a variable with a large enough payload, it is possible to overflow the stack buffer, corrupt the stack frame, and control execution, which can also bypass secure boot protection. The biggest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: Default

CVE-ID: CVE-2020-27779
CVE-Crit: HIGH
CVE-DESC: a bug was discovered in grub2 in versions prior to 2.06. The cutmem command does not respect secure boot locking, allowing a privileged attacker to remove address ranges from memory, creating an opportunity to bypass SecureBoot protection after properly sorting through grub’s memory structure. The greatest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-20225
CVE-Crit: MEDIUM
CVE-DESC: a bug was discovered in grub2 in versions prior to 2.06. The parameter parser allows an attacker to write outside of the heap-allocated buffer by invoking certain commands with a large number of specific short forms of parameters. The greatest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-20233
CVE-Crit: HIGH
CVE-DESC: a bug was found in grub2 in versions before 2.06. Setparam_prefix () in the menu rendering code performs a length calculation based on the assumption that it will take 3 characters to express a quoted single quote, when in fact it takes 4 characters, allowing an attacker to corrupt memory by one byte for each quote in the input data. The greatest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-3418
CVE-Crit: MEDIUM
CVE-DESC: if grub signed certificates are installed in db, grub can be loaded directly. It will then load any kernel without verifying the signature. The loaded kernel will think it was loaded in safe boot mode and will perform a lock, but this could have been spoofed. This flaw is a reintroduction of CVE-2020-15705 and only affects grub2 versions up to 2.06 and above, and distributions that use the shim_lock mechanism.
CVE-STATUS: default
CVE-REV: default