| Name | CVE-2020-15705 |
| Description | GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| grub2 (PTS) | jessie, jessie (lts) | 2.02~beta2-22+deb8u2 | fixed |
| stretch (lts), stretch | 2.02~beta3-5+deb9u3 | fixed |
| buster (security), buster, buster (lts) | 2.06-3~deb10u4 | fixed |
| bullseye (security), bullseye | 2.06-3~deb11u6 | fixed |
| bookworm (security), bookworm | 2.06-13+deb12u1 | fixed |
| sid, trixie | 2.12-5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| grub2 | source | (unstable) | (not affected) | | | |
Notes
- grub2 <not-affected> (Vulnerable code specific in Ubuntu)
Debian's grub_linuxefi_secure_validate has different interface than the one in
Ubuntu and returns the code from "shim not available" and "kernel signature
verification failed". The patch for CVE-2020-15705 is essentially about handling
those two cases in the same way when they were previously handled differently,
and so not a problem for src:grub2 in Debian.
https://www.openwall.com/lists/oss-security/2020/07/29/3