Secure Boot Vulnerability in GRUB2 by Canonical
CVE-2022-28735

6.7MEDIUM

Key Information:

Vendor: Gnu Project
Status: Gnu Grub
Vendor: CVE Published:; 20 July 2023

🔔 Create Gnu Project Vulnerability Alert

What is CVE-2022-28735?

The GRUB2 shim_lock verifier has a significant security flaw that permits the loading of non-kernel files on systems utilizing shim-powered secure boot. This creates a risk where unverified code and modules could potentially compromise the trusted execution environment, undermining the secure boot trust-chain and allowing unauthorized access to system resources.

Affected Version(s)

GNU GRUB Linux 0 < 2.06-3

References

https://www.openwall.com/lists/oss-security/2022/06/07/5

mailing-list

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...

issue-tracking

https://security.netapp.com/advisory/ntap-20230825-0002/

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 20, 2023
Vulnerability Reserved
Apr 5, 2022

Credit

Julian Andres Klode