Lucene search

Ubuntu.comUB:CVE-2024-1048

HistoryFeb 06, 2024 - 12:00 a.m.

CVE-2024-1048

2024-02-0600:00:00

ubuntu.com

grub2

set-bootflag

vulnerability

temporary files

filesystem

security fix

ubuntu

secure boot

esm

key revocation

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

4.7 Medium

AI Score

Confidence

High

1.7 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:S/C:N/I:N/A:P

0.0005 Low

EPSS

Percentile

15.3%

JSON

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix
of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the
new grubenv content and rename it to the original grubenv file. If the
program is killed before the rename operation, the temporary file will not
be removed and may fill the filesystem when invoked multiple times,
resulting in a filesystem out of free inodes or blocks.

Notes

Author	Note
eslerm	the grub2 package does not affect Ubuntu’s Secure Boot grub2-unsigned contains Secure Boot security fixes grub2 and grub2-unsigned should have same major version Ubuntu Secure Boot and ESM do not cover i386 trusty’s GA kernel cannot handle new versions of grub Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus)
mdeslaur	This issue is in a RedHat-specific addition and does not affect Debian or Ubuntu