Vulnerabilities > CVE-2015-8370 - Permissions, Privileges, and Access Controls vulnerability in multiple products

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

gnu

fedoraproject

CWE-264

nessus

NVD

Published: 2015-12-16

Updated: 2024-01-16

Summary

Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.

Vulnerable Configurations

Part	Description	Count
Application	Gnu GNU Grub2 2.02 GNU Grub2 2.01 GNU Grub2 2.00 GNU Grub2 1.99 GNU Grub2 1.98	5
OS	Fedoraproject Fedoraproject Fedora 23	1

Common Weakness Enumeration (CWE)

CWE-264 - Permissions, Privileges, and Access Controls

Common Attack Pattern Enumeration and Classification (CAPEC)

Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Blue Boxing
This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
Restful Privilege Elevation
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2016-0012_GRUB2.NASL
description	An update of the grub2 package has been released.
last seen	2020-03-17
modified	2019-02-07
plugin id	121648
published	2019-02-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121648
title	Photon OS 1.0: Grub2 PHSA-2016-0012
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2016-0012. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(121648); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/02/07"); script_cve_id("CVE-2015-8370"); script_name(english:"Photon OS 1.0: Grub2 PHSA-2016-0012"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the grub2 package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-12.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9555"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:grub2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) \|\| release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux\|OS) 1\.0(\D\|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-1.0", reference:"grub2-2.02-5.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"grub2-efi-2.02-3.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"grub2-efi-lang-2.02-3.ph1")) flag++; if (rpm_check(release:"PhotonOS-1.0", reference:"grub2-lang-2.02-5.ph1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "grub2"); }

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2016-0012.NASL
description	An update of [ linux , wget , vim , grub2 , zookeeper , nginx , dnsmasq , haproxy ] packages for PhotonOS has been released.
last seen	2019-02-21
modified	2019-02-07
plugin id	111846
published	2018-08-17
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=111846
title	Photon OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated)
code	# # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2016-0012. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111846); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:07"); script_cve_id( "CVE-2015-8370", "CVE-2015-8899", "CVE-2016-1248", "CVE-2016-4450", "CVE-2016-5017", "CVE-2016-5360", "CVE-2016-7098", "CVE-2016-9083", "CVE-2016-9555" ); script_name(english:"Photon OS 1.0: Dnsmasq / Grub2 / Haproxy / Linux / Nginx / Vim / Wget / Zookeeper PHSA-2016-0012 (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of [ linux , wget , vim , grub2 , zookeeper , nginx , dnsmasq , haproxy ] packages for PhotonOS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-12 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b465880d"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9555"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:dnsmasq"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:grub2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:nginx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:vim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:wget"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zookeeper"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) \|\| release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux\|OS) 1\.0(\D\|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "dnsmasq-2.76-1.ph1", "dnsmasq-debuginfo-2.76-1.ph1", "grub2-2.02-5.ph1", "grub2-efi-2.02-3.ph1", "grub2-efi-lang-2.02-3.ph1", "grub2-lang-2.02-5.ph1", "haproxy-1.6.10-1.ph1", "haproxy-debuginfo-1.6.10-1.ph1", "haproxy-doc-1.6.10-1.ph1", "linux-4.4.35-1.ph1", "linux-api-headers-4.4.35-1.ph1", "linux-debuginfo-4.4.35-1.ph1", "linux-dev-4.4.35-1.ph1", "linux-docs-4.4.35-1.ph1", "linux-drivers-gpu-4.4.35-1.ph1", "linux-esx-4.4.35-1.ph1", "linux-esx-debuginfo-4.4.35-1.ph1", "linux-esx-devel-4.4.35-1.ph1", "linux-esx-docs-4.4.35-1.ph1", "linux-oprofile-4.4.35-1.ph1", "linux-sound-4.4.35-1.ph1", "linux-tools-4.4.35-1.ph1", "linux-tools-debuginfo-4.4.35-1.ph1", "nginx-1.10.0-4.ph1", "nginx-debuginfo-1.10.0-4.ph1", "vim-7.4-6.ph1", "vim-extra-7.4-6.ph1", "wget-1.18-1.ph1", "wget-debuginfo-1.18-1.ph1", "zookeeper-3.4.9-1.ph1" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dnsmasq / grub2 / haproxy / linux / nginx / vim / wget / zookeeper"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-2385-1.NASL
description	This update for grub2 provides the following fixes : A security issues with a bufferoverflow when reading username and password was fixed (bsc#956631, CVE-2015-8370) Also following bugs were fixed : - Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370) - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) - Add grub.xen config searching path on boot partition. (bsc#884828) - Add linux16 and initrd16 to grub.xen. (bsc#884830) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	87668
published	2015-12-30
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87668
title	SUSE SLED11 / SLES11 Security Update : grub2 (SUSE-SU-2015:2385-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2015:2385-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(87668); script_version("2.6"); script_cvs_date("Date: 2019/09/11 11:22:12"); script_cve_id("CVE-2015-8370"); script_name(english:"SUSE SLED11 / SLES11 Security Update : grub2 (SUSE-SU-2015:2385-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for grub2 provides the following fixes : A security issues with a bufferoverflow when reading username and password was fixed (bsc#956631, CVE-2015-8370) Also following bugs were fixed : - Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370) - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) - Add grub.xen config searching path on boot partition. (bsc#884828) - Add linux16 and initrd16 to grub.xen. (bsc#884830) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884828" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=884830" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=946148" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=952539" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=954592" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=956631" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8370/" ); # https://www.suse.com/support/update/announcement/2015/suse-su-20152385-1.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?befd91fa" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP4 : zypper in -t patch slessp4-grub2-12288=1 SUSE Linux Enterprise Desktop 11-SP4 : zypper in -t patch sledsp4-grub2-12288=1 SUSE Linux Enterprise Debuginfo 11-SP4 : zypper in -t patch dbgsp4-grub2-12288=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:grub2-x86_64-efi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:grub2-x86_64-xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/16"); script_set_attribute(attribute:"patch_publication_date", value:"2015/12/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED11\|SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED11 / SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); if (os_ver == "SLED11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"grub2-x86_64-efi-2.00-0.54.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"grub2-x86_64-xen-2.00-0.54.2")) flag++; if (rpm_check(release:"SLED11", sp:"4", cpu:"x86_64", reference:"grub2-x86_64-efi-2.00-0.54.2")) flag++; if (rpm_check(release:"SLED11", sp:"4", cpu:"x86_64", reference:"grub2-x86_64-xen-2.00-0.54.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "grub2"); }

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2015-351-01.NASL
description	New grub packages are available for Slackware 14.1 and -current to fix a security issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	87477
published	2015-12-18
reporter	This script is Copyright (C) 2015 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/87477
title	Slackware 14.1 / current : grub (SSA:2015-351-01)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-368.NASL
description	Hector Marco-Gisbert, from the Universitat Politècnica de València Cybersecurity Team, reported a buffer overflow in grub2 when checking password during bootup. For Debian 6
last seen	2020-03-17
modified	2015-12-14
plugin id	87330
published	2015-12-14
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/87330
title	Debian DLA-368-1 : grub2 security update

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-10.NASL
description	- Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370) - Check MS-DOS header to find PE file header. (bsc#954126) - Use dirname for copying Xen kernel and initrd to esp. (bsc#955493) - Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty. (bsc#954519) - Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support LUKS partition in default setup. (bsc#917427, bsc#955609) - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) This update was imported from the SUSE:SLE-12-SP1:Update update project.
last seen	2020-06-05
modified	2016-01-07
plugin id	87772
published	2016-01-07
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/87772
title	openSUSE Security Update : grub2 (openSUSE-2016-10)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-2836-1.NASL
description	Hector Marco and Ismael Ripoll discovered that GRUB incorrectly handled the backspace key when configured to use authentication. A local attacker could use this issue to bypass GRUB password protection. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	87408
published	2015-12-16
reporter	Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87408
title	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : grub2 vulnerability (USN-2836-1)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL25901386.NASL
description	Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an
last seen	2020-06-01
modified	2020-06-02
plugin id	87904
published	2016-01-14
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87904
title	F5 Networks BIG-IP : GRUB2 vulnerability (SOL25901386)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-2399-1.NASL
description	This update for grub2 provides the following fixes and enhancements : Security issue fixed : - Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370) Non security issues fixed : - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) - Add --image switch to force zipl update to specific kernel. (bsc#928131) - Do not use shim lock protocol for reading PE header as it won
last seen	2020-06-01
modified	2020-06-02
plugin id	87722
published	2016-01-04
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87722
title	SUSE SLED12 / SLES12 Security Update : grub2 (SUSE-SU-2015:2399-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-2387-1.NASL
description	- Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370) - Check MS-DOS header to find PE file header. (bsc#954126) - Use dirname for copying Xen kernel and initrd to esp. (bsc#955493) - Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty. (bsc#954519) - Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support LUKS partition in default setup. (bsc#917427, bsc#955609) - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	87670
published	2015-12-30
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87670
title	SUSE SLED12 / SLES12 Security Update : grub2 (SUSE-SU-2015:2387-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3421.NASL
description	Hector Marco and Ismael Ripoll, from Cybersecurity UPV Research Group, found an integer underflow vulnerability in Grub2, a popular bootloader. A local attacker can bypass the Grub2 authentication by inserting a crafted input as username or password. More information: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html CVE-2015-8370
last seen	2020-06-01
modified	2020-06-02
plugin id	87428
published	2015-12-17
reporter	This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87428
title	Debian DSA-3421-1 : grub2 - security update

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201512-03.NASL
description	The remote host is affected by the vulnerability described in GLSA-201512-03 (GRUB: Authentication bypass) An integer underflow in GRUB’s username/password authentication code has been discovered. Impact : An attacker with access to the system console may bypass the username prompt by entering a sequence of backspace characters, allowing them e.g. to get full access to GRUB’s console or to load a customized kernel. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	87516
published	2015-12-21
reporter	This script is Copyright (C) 2015 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/87516
title	GLSA-201512-03 : GRUB: Authentication bypass

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20151215_GRUB2_ON_SL7_X.NASL
description	A flaw was found in the way the grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system. (CVE-2015-8370) This update also fixes the following bug : - When upgrading from Scientific Linux 7.1 and earlier, a configured boot password was not correctly migrated to the newly introduced user.cfg configuration files. This could possibly prevent system administrators from changing grub2 configuration during system boot even if they provided the correct password. This update corrects the password migration script and the incorrectly generated user.cfg file.
last seen	2020-03-18
modified	2015-12-22
plugin id	87586
published	2015-12-22
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87586
title	Scientific Linux Security Update : grub2 on SL7.x x86_64 (20151215)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2015-2623.NASL
description	Updated grub2 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. [Updated 27 January 2016] This advisory has been updated to document additional steps that need to be performed on BIOS-based systems after installing this update. No changes were made to the packages included in the advisory. The grub2 packages provide version 2 of the Grand Unified Bootloader (GRUB), a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. A flaw was found in the way the grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system. (CVE-2015-8370) This update also fixes the following bug : * When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a configured boot password was not correctly migrated to the newly introduced user.cfg configuration files. This could possibly prevent system administrators from changing grub2 configuration during system boot even if they provided the correct password. This update corrects the password migration script and the incorrectly generated user.cfg file. (BZ#1290089) All grub2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For this update to take effect on BIOS-based machines, grub2 needs to be reinstalled as documented in the
last seen	2020-06-01
modified	2020-06-02
plugin id	87397
published	2015-12-16
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87397
title	RHEL 7 : grub2 (RHSA-2015:2623)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2015-2623.NASL
description	From Red Hat Security Advisory 2015:2623 : Updated grub2 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. [Updated 27 January 2016] This advisory has been updated to document additional steps that need to be performed on BIOS-based systems after installing this update. No changes were made to the packages included in the advisory. The grub2 packages provide version 2 of the Grand Unified Bootloader (GRUB), a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. A flaw was found in the way the grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system. (CVE-2015-8370) This update also fixes the following bug : * When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a configured boot password was not correctly migrated to the newly introduced user.cfg configuration files. This could possibly prevent system administrators from changing grub2 configuration during system boot even if they provided the correct password. This update corrects the password migration script and the incorrectly generated user.cfg file. (BZ#1290089) All grub2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For this update to take effect on BIOS-based machines, grub2 needs to be reinstalled as documented in the
last seen	2020-06-01
modified	2020-06-02
plugin id	87395
published	2015-12-16
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87395
title	Oracle Linux 7 : grub2 (ELSA-2015-2623)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-CEBE5133E7.NASL
description	Fixes CVE-2015-8370. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-03-04
plugin id	89415
published	2016-03-04
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/89415
title	Fedora 23 : grub2-2.02-0.25.fc23 (2015-cebe5133e7)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2015-2623.NASL
description	Updated grub2 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. [Updated 27 January 2016] This advisory has been updated to document additional steps that need to be performed on BIOS-based systems after installing this update. No changes were made to the packages included in the advisory. The grub2 packages provide version 2 of the Grand Unified Bootloader (GRUB), a highly configurable and customizable bootloader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. A flaw was found in the way the grub2 handled backspace characters entered in username and password prompts. An attacker with access to the system console could use this flaw to bypass grub2 password protection and gain administrative access to the system. (CVE-2015-8370) This update also fixes the following bug : * When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a configured boot password was not correctly migrated to the newly introduced user.cfg configuration files. This could possibly prevent system administrators from changing grub2 configuration during system boot even if they provided the correct password. This update corrects the password migration script and the incorrectly generated user.cfg file. (BZ#1290089) All grub2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For this update to take effect on BIOS-based machines, grub2 needs to be reinstalled as documented in the
last seen	2020-06-01
modified	2020-06-02
plugin id	87422
published	2015-12-17
reporter	This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87422
title	CentOS 7 : grub2 (CESA-2015:2623)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2015-957.NASL
description	This update for grub2 fixes the following issue : Changes in grub2 : - CVE-2015-8370: Fix for overflow in grub_password_get and grub_user_get functions (bnc#956631)
last seen	2020-06-05
modified	2015-12-29
plugin id	87630
published	2015-12-29
reporter	This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/87630
title	openSUSE Security Update : grub2 (openSUSE-2015-957)

NASL family	Solaris Local Security Checks
NASL id	SOLARIS_JAN2016_SRU11_3_4_5_0.NASL
description	This Solaris system is missing necessary patches to address critical security updates : - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Grub2). The supported version that is affected is 11. Difficult to exploit vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. (CVE-2015-8370) - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Zones). The supported version that is affected is 11. Easily exploitable vulnerability requiring logon to Operating System plus additional, multiple logins to components. Successful attack of this vulnerability can escalate attacker privileges resulting in unauthorized read access to a subset of Solaris accessible data. (CVE-2016-0618)
last seen	2020-06-01
modified	2020-06-02
plugin id	88003
published	2016-01-20
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/88003
title	Oracle Solaris Critical Patch Update : jan2016_SRU11_3_4_5_0

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2015-90C27B6E91.NASL
description	Fixes CVE-2015-8370. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-03-04
plugin id	89324
published	2016-03-04
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/89324
title	Fedora 22 : grub2-2.02-0.18.fc22 (2015-90c27b6e91)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2015-2386-1.NASL
description	This update for grub2 provides the following fixes : A security issues with a bufferoverflow when reading username and password was fixed (bsc#956631, CVE-2015-8370) Bugs fixed : - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) - Add grub.xen config searching path on boot partition. (bsc#884828) - Add linux16 and initrd16 to grub.xen. (bsc#884830) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	87669
published	2015-12-30
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87669
title	SUSE SLED11 / SLES11 Security Update : grub2 (SUSE-SU-2015:2386-1)

Redhat

advisories

bugzilla

id	1290089
title	Grub password broken by update from RHEL7.1 to RHEL7.2

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND

comment grub2-efi-modules is earlier than 1:2.02-0.33.el7_2
oval oval:com.redhat.rhsa:tst:20152623001
comment grub2-efi-modules is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401002

AND
comment grub2 is earlier than 1:2.02-0.33.el7_2
oval oval:com.redhat.rhsa:tst:20152623003
comment grub2 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401008
AND
comment grub2-tools is earlier than 1:2.02-0.33.el7_2
oval oval:com.redhat.rhsa:tst:20152623005
comment grub2-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401004
AND
comment grub2-efi is earlier than 1:2.02-0.33.el7_2
oval oval:com.redhat.rhsa:tst:20152623007
comment grub2-efi is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152401006

rhsa

id	RHSA-2015:2623
released	2015-12-15
severity	Moderate
title	RHSA-2015:2623: grub2 security and bug fix update (Moderate)

rpms

grub2-1:2.02-0.33.el7_2
grub2-debuginfo-1:2.02-0.33.el7_2
grub2-efi-1:2.02-0.33.el7_2
grub2-efi-modules-1:2.02-0.33.el7_2
grub2-tools-1:2.02-0.33.el7_2

The Hacker News

id	THN:960C1B9817E3CB5C4AF1E8867B27BE72
last seen	2018-01-27
modified	2015-12-17
published	2015-12-16
reporter	Swati Khandelwal
source	https://thehackernews.com/2015/12/hack-linux-grub-password.html
title	You can Hack into a Linux Computer just by pressing 'Backspace' 28 times

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

The Hacker News

References