MicrosoftMS:ADV200011Microsoft Guidance for Addressing Security Feature Bypass in GRUB
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
62.3%
Executive Summary
Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass.
To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.
Microsoft is working to complete validation and compatibility testing of a required Windows Update that addresses this vulnerability. If you are an IT professional and would like to immediately address this vulnerability, please see the mitigation option on installing an un-tested update. When the Windows updates become available, customers will be notified via revision to this advisory. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System.
This vulnerability is detectable via TPM attestation and Defender ATP.
CVEs released for this issue: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707.
Update: March 2, 2021
A new set of similar vulnerabilities has been discovered, documented under: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233.
Update: August 9, 2022
Microsoft has released standalone security update 5012170 to provide protection against the vulnerabilities described in this advisory. See the FAQ section and KB5012170: Security update for Secure Boot DBX: August 9, 2022 for more information about this update.
Background Information
In 2012, Microsoft introduced the Secure Boot feature into the then-new, UEFI-based PC ecosystem. UEFI Secure Boot is an anti-rootkit feature that defends the boot process from untrusted code execution. As part of enabling this feature, Microsoft signs boot code both for Windows and 3rd-parties including Linux distributions. This boot code allows Linux systems to take advantage of Secure Boot.
The GRUB vulnerability provides a way to bypass the UEFI Secure Boot security feature for any system that trusts the Microsoft 3rd-party UEFI signer, which includes many PCs.
Mitigations
See the Mitigations section following theExploitability section.
Recommended Actions
Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
References
- Microsoft guidance for applying Secure Boot DBX update
- How insights from system attestation can improve enterprise security
- Blog: There’s a Hole in the Boot
- UEFI Forum: <https://uefi.org/revocationlistfile> (Applies to CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707).
- Canonical: <https://ubuntu.com/security/notices/USN-4432-1>
- Debian: <https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot>
- HPE: www.hpe.com/info/security-alerts
- Red Hat: <https://access.redhat.com/security/vulnerabilities/grub2bootloader>
- SUSE: <https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/>
- VMware: <https://kb.vmware.com/s/article/80181>
- CVE-2020-10713
- CVE-2020-14308
- CVE-2020-14309
- CVE-2020-14310
- CVE-2020-14311
- CVE-2020-15705
- CVE-2020-15706
- CVE-2020-15707
CVEs published March 2, 2021:
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | windows_server_2012 | * | cpe:2.3:o:microsoft:windows_server_2012:*:r2:*:*:*:*:*:* |
| microsoft | windows_server_2012 | * | cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:*:* |
| microsoft | windows_rt_8.1 | * | cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:* |
| microsoft | windows_8.1 | * | cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:x64:* |
| microsoft | windows_8.1 | * | cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:* |
| microsoft | windows_server_2016 | * | cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* |
| microsoft | windows_10_1607 | * | cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:* |
| microsoft | windows_10_1607 | * | cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:* |
| microsoft | windows_10 | * | cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:x64:* |
| microsoft | windows_10 | * | cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
62.3%