Headline
CVE-2020-25647: 1886936 – (CVE-2020-25647) CVE-2020-25647 grub2: Out-of-bounds write in grub_usb_device_initialize()
A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Description Marco Benatto 2020-10-09 18:56:26 UTC
grub_usb_device_initialize() is called to handle USB device initialization. it reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to by-pass SecureBoot mechanism.
Comment 2 Marco Benatto 2020-12-29 14:56:58 UTC
Acknowledgments:
Name: Joseph Tartaro (IOActive), Ilja van Sprundel (IOActive)
Comment 6 Marco Benatto 2021-02-25 15:34:43 UTC
Marking fwupdate as WONTFIX for all rhel8 streams. This package was made obsolete and replaced by fwupd.
Comment 7 Marco Benatto 2021-03-02 18:39:44 UTC
Created grub2 tracking bugs for this issue:
Affects: fedora-all [bug 1934248]
Comment 13 errata-xmlrpc 2021-03-02 20:09:35 UTC
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support
Via RHSA-2021:0702 https://access.redhat.com/errata/RHSA-2021:0702