CVE-2020-15705: GRUB2: avoid loading unsigned kernels when GRUB is booted directly under secureboot without shim
First published: Mon Jul 27 2020(Updated: )
GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.
Credit: security@ubuntu.com security@ubuntu.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/fwupdate | <0:12-6.el7_8 | 0:12-6.el7_8 |
| redhat/grub2 | <1:2.02-0.86.el7_8 | 1:2.02-0.86.el7_8 |
| redhat/shim | <0:15-7.el7_9 | 0:15-7.el7_9 |
| redhat/shim-signed | <0:15-7.el7_8 | 0:15-7.el7_8 |
| redhat/grub2 | <1:2.02-0.86.el7_2 | 1:2.02-0.86.el7_2 |
| redhat/shim | <0:15-8.el7 | 0:15-8.el7 |
| redhat/shim-signed | <0:15-8.el7_2 | 0:15-8.el7_2 |
| redhat/grub2 | <1:2.02-0.86.el7 | 1:2.02-0.86.el7 |
| redhat/shim-signed | <0:15-8.el7_3 | 0:15-8.el7_3 |
| redhat/fwupdate | <0:9-10.el7_4 | 0:9-10.el7_4 |
| redhat/grub2 | <1:2.02-0.86.el7_4 | 1:2.02-0.86.el7_4 |
| redhat/shim-signed | <0:15-8.el7_4 | 0:15-8.el7_4 |
| redhat/fwupdate | <0:12-6.el7_6 | 0:12-6.el7_6 |
| redhat/grub2 | <1:2.02-0.86.el7_6 | 1:2.02-0.86.el7_6 |
| redhat/shim-signed | <0:15-8.el7_6 | 0:15-8.el7_6 |
| redhat/fwupdate | <0:12-6.el7_7 | 0:12-6.el7_7 |
| redhat/grub2 | <1:2.02-0.86.el7_7 | 1:2.02-0.86.el7_7 |
| redhat/shim-signed | <0:15-8.el7_7 | 0:15-8.el7_7 |
| redhat/fwupd | <0:1.1.4-7.el8_2 | 0:1.1.4-7.el8_2 |
| redhat/grub2 | <1:2.02-87.el8_2 | 1:2.02-87.el8_2 |
| redhat/shim | <0:15-14.el8_2 | 0:15-14.el8_2 |
| redhat/shim-unsigned-x64 | <0:15-7.el8 | 0:15-7.el8 |
| redhat/fwupd | <0:1.1.4-2.el8_0 | 0:1.1.4-2.el8_0 |
| redhat/grub2 | <1:2.02-87.el8_0 | 1:2.02-87.el8_0 |
| redhat/shim | <0:15-14.el8_0 | 0:15-14.el8_0 |
| redhat/fwupd | <0:1.1.4-2.el8_1 | 0:1.1.4-2.el8_1 |
| redhat/grub2 | <1:2.02-87.el8_1 | 1:2.02-87.el8_1 |
| redhat/shim | <0:15-14.el8_1 | 0:15-14.el8_1 |
| redhat/grub | <2.06 | 2.06 |
| Gnu Grub2 | <=2.04 | |
| Redhat Enterprise Linux Atomic Host | ||
| Redhat Openshift Container Platform | =4.0 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Debian Debian Linux | =10.0 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| SUSE SUSE Linux Enterprise Server | =11 | |
| SUSE SUSE Linux Enterprise Server | =12 | |
| SUSE SUSE Linux Enterprise Server | =15 | |
| Microsoft Windows 10 | ||
| Microsoft Windows 10 | =1607 | |
| Microsoft Windows 10 | =1709 | |
| Microsoft Windows 10 | =1803 | |
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 10 | =1903 | |
| Microsoft Windows 10 | =1909 | |
| Microsoft Windows 10 | =2004 | |
| Microsoft Windows 8.1 | ||
| Microsoft Windows RT 8.1 | ||
| Microsoft Windows Server 2012 | ||
| Microsoft Windows Server 2012 | =r2 | |
| Microsoft Windows Server 2016 | ||
| Microsoft Windows Server 2016 | =1903 | |
| Microsoft Windows Server 2016 | =1909 | |
| Microsoft Windows Server 2016 | =2004 | |
| Microsoft Windows Server 2019 | ||
| debian/grub2 | 2.06-3~deb11u6 2.06-13+deb12u1 2.12-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-15705 https://nvd.nist.gov/vuln/detail/CVE-2020-15705
- https://bugzilla.redhat.com/show_bug.cgi?id=1860978
- https://access.redhat.com/errata/RHSA-2020:3217
- https://access.redhat.com/errata/RHSA-2020:3273
- https://access.redhat.com/errata/RHSA-2020:3276
- https://access.redhat.com/errata/RHSA-2020:3275
- https://access.redhat.com/errata/RHSA-2020:3271
- https://access.redhat.com/errata/RHSA-2020:3274
- https://access.redhat.com/errata/RHSA-2020:3216
- https://access.redhat.com/errata/RHSA-2020:3227
- https://access.redhat.com/errata/RHSA-2020:3223
- https://access.redhat.com/security/cve/cve-2020-15705
- https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
- https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
- https://www.openwall.com/lists/oss-security/2020/07/29/3
- https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
- http://www.openwall.com/lists/oss-security/2020/07/29/3
- https://access.redhat.com/security/vulnerabilities/grub2bootloader
- https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
- https://www.suse.com/support/kb/doc/?id=000019673
- http://ubuntu.com/security/notices/USN-4432-1
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
- https://security.netapp.com/advisory/ntap-20200731-0008/
- https://usn.ubuntu.com/4432-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html
- http://www.openwall.com/lists/oss-security/2021/03/02/3
- https://security.gentoo.org/glsa/202104-05
- http://www.openwall.com/lists/oss-security/2021/09/17/2
- http://www.openwall.com/lists/oss-security/2021/09/17/4
- http://www.openwall.com/lists/oss-security/2021/09/21/1
- https://launchpad.net/bugs/cve/CVE-2020-15705
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1863021
- https://security-tracker.debian.org/tracker/CVE-2020-15705
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15705
- https://nvd.nist.gov/vuln/detail/CVE-2020-15705
- https://ubuntu.com/security/CVE-2020-15705
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-15705.
What is the severity of CVE-2020-15705?
The severity of CVE-2020-15705 is medium (6.4).
Which systems are affected by this vulnerability?
This vulnerability affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim.
How can this vulnerability be exploited?
This vulnerability allows secure boot to be bypassed by failing to validate kernel signature when booted directly without shim.
Where can I find more information about CVE-2020-15705?
You can find more information about CVE-2020-15705 on the Red Hat website (https://access.redhat.com/security/cve/cve-2020-15705).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-15705
- agent/software-canonical-lookup
- agent/references
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/event
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/gnu
- canonical/gnu grub2
- version/gnu grub2/2.04
- vendor/redhat
- canonical/redhat enterprise linux atomic host
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/suse
- canonical/suse suse linux enterprise server
- version/suse suse linux enterprise server/11
- version/suse suse linux enterprise server/12
- version/suse suse linux enterprise server/15
- vendor/microsoft
- canonical/microsoft windows 10
- version/microsoft windows 10/1607
- version/microsoft windows 10/1709
- version/microsoft windows 10/1803
- version/microsoft windows 10/1809
- version/microsoft windows 10/1903
- version/microsoft windows 10/1909
- version/microsoft windows 10/2004
- canonical/microsoft windows 8.1
- canonical/microsoft windows rt 8.1
- canonical/microsoft windows server 2012
- version/microsoft windows server 2012/r2
- canonical/microsoft windows server 2016
- version/microsoft windows server 2016/1903
- version/microsoft windows server 2016/1909
- version/microsoft windows server 2016/2004
- canonical/microsoft windows server 2019
- package-manager/debian