First published: Fri Oct 09 2020(Updated: )
A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/grub | <2.06 | 2.06 |
Gnu Grub2 | <2.06 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Server Aus | =7.2 | |
Redhat Enterprise Linux Server Aus | =7.3 | |
Redhat Enterprise Linux Server Aus | =7.4 | |
Redhat Enterprise Linux Server Aus | =7.6 | |
Redhat Enterprise Linux Server Aus | =7.7 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Eus | =7.6 | |
Redhat Enterprise Linux Server Eus | =7.7 | |
Redhat Enterprise Linux Server Eus | =8.1 | |
Redhat Enterprise Linux Server Tus | =7.4 | |
Redhat Enterprise Linux Server Tus | =7.6 | |
Redhat Enterprise Linux Server Tus | =7.7 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
NetApp ONTAP Select Deploy administration utility |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-25647 is a vulnerability found in grub2 versions prior to 2.06 that allows an attacker to trigger memory corruption leading to arbitrary code execution.
CVE-2020-25647 has a severity score of 7.6 (High).
Grub2 versions prior to 2.06, Redhat Enterprise Linux versions 7.0 to 8.0, and Fedora versions 33 and 34 are affected by CVE-2020-25647.
To fix CVE-2020-25647, update your system to grub2 version 2.06 or higher.
You can find more information about CVE-2020-25647 in the references provided: [Reference 1](https://bugzilla.redhat.com/show_bug.cgi?id=1886936), [Reference 2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZWZ36QK4IKU6MWDWNOOWKPH3WXZBHT2R/), [Reference 3](https://security.gentoo.org/glsa/202104-05).