CVE-2020-10713
Last modified
CVE-2020-10713 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. EPSS estimates a 1.07% chance of exploitation in the next 30 days.
Description
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Metrics
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Grub2 | < 2.06 |
| Debian | Debian Linux | 10.0 |
| Opensuse | Leap | 15.1 |
| Opensuse | Leap | 15.2 |
| Vmware | Photon Os | < 2.0 |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.htmlMailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/07/29/3Mailing List, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1825243Issue Tracking, Third Party Advisory
- https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/Technical Description, Third Party Advisory
- https://kb.vmware.com/s/article/80181Third Party Advisory
- https://security.gentoo.org/glsa/202104-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200731-0008/Third Party Advisory
- https://usn.ubuntu.com/4432-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4735Third Party Advisory
- https://www.kb.cert.org/vuls/id/174059Third Party Advisory, US Government Resource
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.htmlMailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/07/29/3Mailing List, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1825243Issue Tracking, Third Party Advisory
- https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/Technical Description, Third Party Advisory
- https://kb.vmware.com/s/article/80181Third Party Advisory
- https://security.gentoo.org/glsa/202104-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200731-0008/Third Party Advisory
- https://usn.ubuntu.com/4432-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4735Third Party Advisory
- https://www.kb.cert.org/vuls/id/174059Third Party Advisory, US Government Resource
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-10713?
How severe is CVE-2020-10713?
How do I fix CVE-2020-10713?
Are you affected by CVE-2020-10713?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST