Lenovo Security Advisory: LEN-34794
Potential Impact: Escalation of privilege
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2020-10713
Summary Description:
Lenovo is aware of a vulnerability in GRUB2, an open source bootloader commonly used by Linux, that could allow Secure Boot security enforcement to be bypassed by an attacker with physical or administrator access and allow unauthorized code execution during the boot process. This vulnerability is referred to by the researchers as Boot Hole.
Lenovo client and server products support Secure Boot. Enabling Secure Boot and using a vulnerable version of GRUB2 will expose products to the Boot Hole vulnerability.
Mitigation Strategy for Customers (what you should do to protect yourself):
The industry approach to addressing this class of issue is to add vulnerable versions of GRUB2 to the Secure Boot โdenyโ database (dbx) to prevent them from loading when Secure Boot is enabled. However, the industry has identified scenarios where doing so will negatively impact customers and prevent systems from booting, such as when BitLocker is enabled. Lenovo will continue to monitor and provide updated information and fixes, if applicable, as the industry develops a strategy for this issue.
In the interim, Lenovo recommends updating operating systems to use non-vulnerable versions of GRUB2, allowing boot from only authorized devices, and configuring a BIOS Administrator/Supervisor Password to prevent unauthorized boot device changes.
For affected Lenovo software and solutions using GRUB2, please refer to the Product Impact section below.
Product Impact:
ยท Systems utilizing UEFI Secure Boot
ยท ThinkAgile CP-Spark Hypervisor Guardian
ยท ThinkAgile CP-Spark Storage Controller Guardian
ยท LeTOS (Linux)
ยท Lenovo Rackswitch NE10032
ยท Lenovo Rackswitch NE2572
ยท Lenovo Rackswitch NE0152T
References:
Microsoft: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011>
Eclypsium Blog: https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
UEFI Forum: https://uefi.org/revocationlistfile
Canonical: https://ubuntu.com/security/notices/USN-4432-1
Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader
SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
VMware: https://kb.vmware.com/s/article/80181
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2020-07-30 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an โas isโ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.