Attacker Value
Moderate
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Local
7

CVE-2020-10713 - BootHole

Disclosure Date: July 30, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Add Assessment

4
Ratings
Technical Analysis

A buffer overflow exists within GRUB2 affecting how it handles it’s configuration file. An exception occurs when the contents of the configuration are too large for the buffer that is incorrectly handled causing the contents to be written anyways, thus over flowing the buffer.

In order to exploit this, an attacker would likely need either:

  • Physical access to an affected device and sufficient time to mount the disk and corrupt / infect the GRUB configuration file
  • Administrative access to running system to corrupt / infect the GRUB configuration file

Successful exploitation of this vulnerability could corrupt the secure boot process and compromise the integrity of the system over all. This would effectively allow the installation and utilization of a bootkit. Developing a weaponized exploit would be aided by the lack of modern memory protections such as address space layout randomization (ASLR).

Patching is a complicated process involving updating the firmware from the vendor and applying a denylist which must be done manually (for now at least).

For more information see the Grubbing Secure Boot the Wrong Way: CVE-2020-10173.

CVSS V3 Severity and Metrics
Base Score:
8.2 High
Impact Score:
6
Exploitability Score:
1.5
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • gnu,
  • opensuse,
  • vmware

Products

  • debian linux 10.0,
  • grub2,
  • leap 15.1,
  • leap 15.2,
  • photon os
Technical Analysis