CVE-2020-14310 - Vulnerability Details

There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Gnu	Grub2
Opensuse	Leap
Redhat	Enterprise Linux Enterprise Linux Eus Enterprise Linux Server Aus Enterprise Linux Server Tus Rhel Aus Rhel E4s Rhel Eus Rhel Tus

Configuration 1 [-]

cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
fwupdate-0:12-6.el7_8	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:3217	2020-07-29T00:00:00Z
grub2-1:2.02-0.86.el7_8	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:3217	2020-07-29T00:00:00Z
shim-0:15-7.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:3217	2020-07-29T00:00:00Z
shim-signed-0:15-7.el7_8	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:3217	2020-07-29T00:00:00Z
Red Hat Enterprise Linux 7.2 Advanced Update Support
grub2-1:2.02-0.86.el7_2	cpe:/o:redhat:rhel_aus:7.2	RHSA-2020:3273	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_aus:7.2	RHSA-2020:3273	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_2	cpe:/o:redhat:rhel_aus:7.2	RHSA-2020:3273	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.3 Advanced Update Support
grub2-1:2.02-0.86.el7	cpe:/o:redhat:rhel_aus:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_aus:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_3	cpe:/o:redhat:rhel_aus:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.3 Telco Extended Update Support
grub2-1:2.02-0.86.el7	cpe:/o:redhat:rhel_tus:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_tus:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_3	cpe:/o:redhat:rhel_tus:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
grub2-1:2.02-0.86.el7	cpe:/o:redhat:rhel_e4s:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_e4s:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_3	cpe:/o:redhat:rhel_e4s:7.3	RHSA-2020:3276	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.4 Advanced Update Support
fwupdate-0:9-10.el7_4	cpe:/o:redhat:rhel_aus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
grub2-1:2.02-0.86.el7_4	cpe:/o:redhat:rhel_aus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_aus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_4	cpe:/o:redhat:rhel_aus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.4 Telco Extended Update Support
fwupdate-0:9-10.el7_4	cpe:/o:redhat:rhel_tus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
grub2-1:2.02-0.86.el7_4	cpe:/o:redhat:rhel_tus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_tus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_4	cpe:/o:redhat:rhel_tus:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
fwupdate-0:9-10.el7_4	cpe:/o:redhat:rhel_e4s:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
grub2-1:2.02-0.86.el7_4	cpe:/o:redhat:rhel_e4s:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_e4s:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_4	cpe:/o:redhat:rhel_e4s:7.4	RHSA-2020:3275	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.6 Extended Update Support
fwupdate-0:12-6.el7_6	cpe:/o:redhat:rhel_eus:7.6	RHSA-2020:3271	2020-08-03T00:00:00Z
grub2-1:2.02-0.86.el7_6	cpe:/o:redhat:rhel_eus:7.6	RHSA-2020:3271	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_eus:7.6	RHSA-2020:3271	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_6	cpe:/o:redhat:rhel_eus:7.6	RHSA-2020:3271	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 7.7 Extended Update Support
fwupdate-0:12-6.el7_7	cpe:/o:redhat:rhel_eus:7.7	RHSA-2020:3274	2020-08-03T00:00:00Z
grub2-1:2.02-0.86.el7_7	cpe:/o:redhat:rhel_eus:7.7	RHSA-2020:3274	2020-08-03T00:00:00Z
shim-0:15-8.el7	cpe:/o:redhat:rhel_eus:7.7	RHSA-2020:3274	2020-08-03T00:00:00Z
shim-signed-0:15-8.el7_7	cpe:/o:redhat:rhel_eus:7.7	RHSA-2020:3274	2020-08-03T00:00:00Z
Red Hat Enterprise Linux 8
fwupd-0:1.1.4-7.el8_2	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:3216	2020-07-29T00:00:00Z
grub2-1:2.02-87.el8_2	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:3216	2020-07-29T00:00:00Z
shim-0:15-14.el8_2	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:3216	2020-07-29T00:00:00Z
shim-unsigned-x64-0:15-7.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:3216	2020-07-29T00:00:00Z
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
fwupd-0:1.1.4-2.el8_0	cpe:/o:redhat:rhel_e4s:8.0	RHSA-2020:3227	2020-07-29T00:00:00Z
grub2-1:2.02-87.el8_0	cpe:/o:redhat:rhel_e4s:8.0	RHSA-2020:3227	2020-07-29T00:00:00Z
shim-0:15-14.el8_0	cpe:/o:redhat:rhel_e4s:8.0	RHSA-2020:3227	2020-07-29T00:00:00Z
Red Hat Enterprise Linux 8.1 Extended Update Support
fwupd-0:1.1.4-2.el8_1	cpe:/o:redhat:rhel_eus:8.1	RHSA-2020:3223	2020-07-29T00:00:00Z
grub2-1:2.02-87.el8_1	cpe:/o:redhat:rhel_eus:8.1	RHSA-2020:3223	2020-07-29T00:00:00Z
shim-0:15-14.el8_1	cpe:/o:redhat:rhel_eus:8.1	RHSA-2020:3223	2020-07-29T00:00:00Z
shim-unsigned-x64-0:15-7.el8	cpe:/o:redhat:rhel_eus:8.1	RHSA-2020:3223	2020-07-29T00:00:00Z

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310
https://nvd.nist.gov/vuln/detail/CVE-2020-14310
https://security.gentoo.org/glsa/202104-05
https://usn.ubuntu.com/4432-1/
https://www.cve.org/CVERecord?id=CVE-2020-14310

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-07-31T20:55:55

Updated: 2024-08-04T12:39:36.404Z

Reserved: 2020-06-17T00:00:00

Link: CVE-2020-14310

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-07-31T22:15:11.500

Modified: 2024-11-21T05:02:58.777

Link: CVE-2020-14310

Redhat

Severity : Moderate

Publid Date: 2020-07-29T17:00:00Z

Links: CVE-2020-14310 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "grub2", "vendor": "The Grub2 Project", "versions": [{"status": "affected", "version": "2.06"}]}], "descriptions": [{"lang": "en", "value": "There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-122", "description": "CWE-122", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-01T01:08:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310"}, {"name": "USN-4432-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4432-1/"}, {"name": "openSUSE-SU-2020:1169", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html"}, {"name": "openSUSE-SU-2020:1168", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html"}, {"name": "GLSA-202104-05", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202104-05"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14310", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "grub2", "version": {"version_data": [{"version_value": "2.06"}]}}]}, "vendor_name": "The Grub2 Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow."}]}, "impact": {"cvss": [[{"vectorString": "5.7/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-190"}]}, {"description": [{"lang": "eng", "value": "CWE-122"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310"}, {"name": "USN-4432-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4432-1/"}, {"name": "openSUSE-SU-2020:1169", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html"}, {"name": "openSUSE-SU-2020:1168", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html"}, {"name": "GLSA-202104-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202104-05"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.404Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310"}, {"name": "USN-4432-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4432-1/"}, {"name": "openSUSE-SU-2020:1169", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html"}, {"name": "openSUSE-SU-2020:1168", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html"}, {"name": "GLSA-202104-05", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202104-05"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14310", "datePublished": "2020-07-31T20:55:55", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.404Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*", "matchCriteriaId": "01F8D62F-70BB-4718-A095-D68540C17EEA", "versionEndExcluding": "2.06", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "831F0F47-3565-4763-B16F-C87B1FF2035E", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "B09ACF2D-D83F-4A86-8185-9569605D8EE1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow."}, {"lang": "es", "value": "Se presenta un problema en grub2 versiones anteriores a 2.06, en la funci\u00f3n read_section_as_string(). Se espera que el nombre de la fuente sea una longitud m\u00e1xima UINT32_MAX - 1 en bytes, pero no lo verifica antes de proceder con la asignaci\u00f3n del b\u00fafer para leer el valor desde el valor de la fuente. Un atacante puede aprovechar esto mediante el dise\u00f1o de un archivo de fuente malicioso que tenga un nombre con UINT32_MAX, conduciendo a la funci\u00f3n read_section_as_string () a un desbordamiento aritm\u00e9tico, asignaci\u00f3n de tama\u00f1o cero y un nuevo desbordamiento de b\u00fafer en la regi\u00f3n heap de la memoria"}], "id": "CVE-2020-14310", "lastModified": "2024-11-21T05:02:58.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-31T22:15:11.500", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-05"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4432-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202104-05"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4432-1/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Chris Coulson (Ubuntu Security Team) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3217", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "fwupdate-0:12-6.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3217", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "grub2-1:2.02-0.86.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3217", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "shim-0:15-7.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3217", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "shim-signed-0:15-7.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3273", "cpe": "cpe:/o:redhat:rhel_aus:7.2", "package": "grub2-1:2.02-0.86.el7_2", "product_name": "Red Hat Enterprise Linux 7.2 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3273", "cpe": "cpe:/o:redhat:rhel_aus:7.2", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.2 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3273", "cpe": "cpe:/o:redhat:rhel_aus:7.2", "package": "shim-signed-0:15-8.el7_2", "product_name": "Red Hat Enterprise Linux 7.2 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "grub2-1:2.02-0.86.el7", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "shim-signed-0:15-8.el7_3", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_tus:7.3", "package": "grub2-1:2.02-0.86.el7", "product_name": "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_tus:7.3", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_tus:7.3", "package": "shim-signed-0:15-8.el7_3", "product_name": "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_e4s:7.3", "package": "grub2-1:2.02-0.86.el7", "product_name": "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_e4s:7.3", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3276", "cpe": "cpe:/o:redhat:rhel_e4s:7.3", "package": "shim-signed-0:15-8.el7_3", "product_name": "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "fwupdate-0:9-10.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "grub2-1:2.02-0.86.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "shim-signed-0:15-8.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "fwupdate-0:9-10.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "grub2-1:2.02-0.86.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "shim-signed-0:15-8.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "fwupdate-0:9-10.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "grub2-1:2.02-0.86.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3275", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "shim-signed-0:15-8.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3271", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "fwupdate-0:12-6.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3271", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "grub2-1:2.02-0.86.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3271", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3271", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "shim-signed-0:15-8.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3274", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "fwupdate-0:12-6.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3274", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "grub2-1:2.02-0.86.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3274", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "shim-0:15-8.el7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3274", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "shim-signed-0:15-8.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2020-08-03T00:00:00Z"}, {"advisory": "RHSA-2020:3216", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "fwupd-0:1.1.4-7.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3216", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "grub2-1:2.02-87.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3216", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "shim-0:15-14.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3216", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "shim-unsigned-x64-0:15-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3227", "cpe": "cpe:/o:redhat:rhel_e4s:8.0", "package": "fwupd-0:1.1.4-2.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3227", "cpe": "cpe:/o:redhat:rhel_e4s:8.0", "package": "grub2-1:2.02-87.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3227", "cpe": "cpe:/o:redhat:rhel_e4s:8.0", "package": "shim-0:15-14.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3223", "cpe": "cpe:/o:redhat:rhel_eus:8.1", "package": "fwupd-0:1.1.4-2.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3223", "cpe": "cpe:/o:redhat:rhel_eus:8.1", "package": "grub2-1:2.02-87.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3223", "cpe": "cpe:/o:redhat:rhel_eus:8.1", "package": "shim-0:15-14.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2020:3223", "cpe": "cpe:/o:redhat:rhel_eus:8.1", "package": "shim-unsigned-x64-0:15-7.el8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-07-29T00:00:00Z"}], "bugzilla": {"description": "grub2: Integer overflow read_section_as_string may lead to heap-based buffer overflow", "id": "1852030", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1852030"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-190->CWE-122", "details": ["There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.", "A flaw was found in grub2. An expected font value is not verified before proceeding with buffer allocations allowing an attacker to use a malicious font file to create an arithmetic overflow, zero-sized allocation, and further heap-based buffer overflow. The highest threat from this vulnerability is to data integrity and system availability."], "name": "CVE-2020-14310", "public_date": "2020-07-29T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14310\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14310"], "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object