CVE-2020-15705 : GRUB2 fails to validate kernel signature when booted directly without shim, allo

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

Published 2020-07-29 18:15:14

Updated 2022-04-18 15:22:21

Source Canonical Ltd.

View at NVD, CVE.org

Products affected by CVE-2020-15705

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 4.0
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Atomic Host » Version: N/A
cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: R2
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 8.1 » Version: N/A
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Rt 8.1 » Version: N/A
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: N/A
cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1607
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1709
cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1803
cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1809
cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1903
cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1909
cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 2004
cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: 1903
cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: 1909
cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: 2004
cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2019 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
Matching versions
Suse » Suse Linux Enterprise Server » Version: 12
cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*
Matching versions
Suse » Suse Linux Enterprise Server » Version: 11
cpe:2.3:o:suse:suse_linux_enterprise_server:11:*:*:*:*:*:*:*
Matching versions
Suse » Suse Linux Enterprise Server » Version: 15
cpe:2.3:o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:*
Matching versions
GNU » Grub2
Versions up to, including, (<=) 2.04
cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 20.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.2
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2020-15705

Top countries where our scanners detected CVE-2020-15705

Top open port discovered on systems with this issue 53

IPs affected by CVE-2020-15705 705,828

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2020-15705!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-15705

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 3 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15705

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.4	MEDIUM	AV:L/AC:M/Au:N/C:P/I:P/A:P	3.4	6.4	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.4	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	0.5	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.4	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	0.5	5.9	Canonical Ltd.
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-15705

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Assigned by:
- nvd@nist.gov (Primary)
- security@ubuntu.com (Secondary)

References for CVE-2020-15705

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot

Debian -- GRUB2 UEFI SecureBoot vulnerability - 'BootHole'
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/09/17/4

oss-security - Re: Containers-optimized OS (COS) membership in the linux-distros list
Mailing List;Third Party Advisory

CVEs referencing this url
http://ubuntu.com/security/notices/USN-4432-1

USN-4432-1: GRUB 2 vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/

SUSE addresses BootHole security exposure - SUSE Communities
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/09/21/1

oss-security - Re: Containers-optimized OS (COS) membership in the linux-distros list
Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2020/07/29/3

oss-security - multiple secure boot grub2 and linux kernel vulnerabilities
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/security/vulnerabilities/grub2bootloader

Boot Hole Vulnerability - GRUB 2 boot loader - CVE-2020-10713 - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2021/03/02/3

oss-security - Multiple GRUB2 vulnerabilities
Mailing List;Third Party Advisory
https://security.gentoo.org/glsa/202104-05

GRUB: Multiple vulnerabilities (GLSA 202104-05) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass - Ubuntu Wiki
Third Party Advisory

CVEs referencing this url
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

[SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Issue Tracking;Vendor Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html

[security-announce] openSUSE-SU-2020:1282-1: important: Security update
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/2

oss-security - Containers-optimized OS (COS) membership in the linux-distros list
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200731-0008/

July 2020 Grub2 Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://www.suse.com/support/kb/doc/?id=000019673

Security Vulnerability: "Boothole" grub2 UEFI secure boot lockdown bypass | Support | SUSE
Third Party Advisory

CVEs referencing this url
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

There’s a Hole in the Boot - Eclypsium
Third Party Advisory

CVEs referencing this url
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011

ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB
Patch;Third Party Advisory;Vendor Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html

[security-announce] openSUSE-SU-2020:1280-1: important: Security update
Mailing List;Third Party Advisory
https://usn.ubuntu.com/4432-1/

USN-4432-1: GRUB 2 vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://www.openwall.com/lists/oss-security/2020/07/29/3

oss-security - multiple secure boot grub2 and linux kernel vulnerabilities
Mailing List;Third Party Advisory

CVEs referencing this url