ebrke Posted July 30, 2020 Share Posted July 30, 2020 Apparently this vulnerability can only be exploited by a local user. GRUB2 Vulnerability 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted July 30, 2020 Share Posted July 30, 2020 Hasn't that always been the way? With physical access there is no security. Single user mode Quote Link to comment Share on other sites More sharing options...
securitybreach Posted July 30, 2020 Share Posted July 30, 2020 Ah, nothing to worry about: Quote A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Another reason to stay up to date Quote Link to comment Share on other sites More sharing options...
sunrat Posted July 31, 2020 Share Posted July 31, 2020 GRUB2 was updated a couple of days ago in Debian to address this. Edit - and the update was updated today - Quote - ------------------------------------------------------------------------- Debian Security Advisory DSA-4735-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 30, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : grub2 Debian Bug : 966554 The update for grub2 released as DSA 4735-1 caused a boot-regression when chainloading another bootlaoder and breaking notably dual-boot with Windows. Updated grub2 packages are now available to correct this issue. For the stable distribution (buster), this problem has been fixed in version 2.02+dfsg1-20+deb10u2. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.