Jump to content
ebrke

GRUB2 Security Vulnerability

Recommended Posts

ebrke

Apparently this vulnerability can only be exploited by a local user.

GRUB2 Vulnerability

  • Agree 1

Share this post


Link to post
Share on other sites
securitybreach

Hasn't that always been the way? With physical access there is no security.  Single user mode

Share this post


Link to post
Share on other sites
securitybreach

Ah, nothing to worry about:

 

Quote

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

 

oHvugGu.png

 

Another reason to stay up to date ;)

Share this post


Link to post
Share on other sites
sunrat

GRUB2 was updated a couple of days ago in Debian to address this.

 

Edit - and the update was updated today -

Quote

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4735-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 30, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : grub2 Debian Bug : 966554 The update for grub2 released as DSA 4735-1 caused a boot-regression when chainloading another bootlaoder and breaking notably dual-boot with Windows. Updated grub2 packages are now available to correct this issue. For the stable distribution (buster), this problem has been fixed in version 2.02+dfsg1-20+deb10u2.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...