PT-2020-6596 · Grub2+10 · Grub2+10
Published
2020-11-23
·
Updated
2024-06-15
·
CVE-2020-27779
CVSS v3.1
7.6
High
| Vector | AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Grub2 versions prior to 2.06
Description
A flaw in the implementation of the cutmem command in Grub2 is related to a violation of the authorization mechanism. Exploitation of this issue may allow an attacker to access confidential data, compromise data integrity, and cause a denial of service. The cutmem command does not honor secure boot locking, allowing a privileged attacker to remove address ranges from memory and potentially circumvent SecureBoot protections after analyzing Grub's memory layout. The highest threat from this issue is to data confidentiality and integrity, as well as system availability.
Recommendations
For Grub2 versions prior to 2.06, update to version 2.06 or later to resolve the issue.
As a temporary workaround, consider restricting access to the cutmem command to minimize the risk of exploitation.
Exploit
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Grub2
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu