CVE-2020-15705

Summary

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

Affected Software

VendorProductVersion RangeStatus
Ubuntugrub2 in Ubuntu20.04 LTS < 2.04-1ubuntu26.1affected
Ubuntugrub2 in Ubuntu18.04 LTS < 2.02-2ubuntu8.16affected
Ubuntugrub2 in Ubuntu16.04 LTS < 2.02~beta2-36ubuntu3.26affected
Ubuntugrub2 in Ubuntu14.04 ESM < 2.02~beta2-9ubuntu1.20affected

Weaknesses

  • CWE-347: CWE-347 Improper Verification of Cryptographic Signature

ADP Enrichment

CVE Program Container

Additional References

References