CVE-2020-15705

NameCVE-2020-15705
DescriptionGRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grub2 (PTS)jessie, jessie (lts)2.02~beta2-22+deb8u2fixed
stretch (lts), stretch2.02~beta3-5+deb9u3fixed
buster (security), buster, buster (lts)2.06-3~deb10u4fixed
bullseye (security), bullseye2.06-3~deb11u6fixed
bookworm (security), bookworm2.06-13+deb12u1fixed
sid, trixie2.12-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
grub2source(unstable)(not affected)

Notes

- grub2 <not-affected> (Vulnerable code specific in Ubuntu)
Debian's grub_linuxefi_secure_validate has different interface than the one in
Ubuntu and returns the code from "shim not available" and "kernel signature
verification failed". The patch for CVE-2020-15705 is essentially about handling
those two cases in the same way when they were previously handled differently,
and so not a problem for src:grub2 in Debian.
https://www.openwall.com/lists/oss-security/2020/07/29/3

Search for package or bug name: Reporting problems