Secure Boot Vulnerability in GRUB2 by Canonical
CVE-2022-28735

6.7MEDIUM

Key Information:

Vendor

Gnu Project

Status
Gnu Grub
Vendor
CVE Published:
20 July 2023

What is CVE-2022-28735?

The GRUB2 shim_lock verifier has a significant security flaw that permits the loading of non-kernel files on systems utilizing shim-powered secure boot. This creates a risk where unverified code and modules could potentially compromise the trusted execution environment, undermining the secure boot trust-chain and allowing unauthorized access to system resources.

Affected Version(s)

GNU GRUB Linux 0 < 2.06-3

References

https://www.openwall.com/lists/oss-security/2022/06/07/5
mailing-list
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...
issue-tracking
https://security.netapp.com/advisory/ntap-20230825-0002/

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Julian Andres Klode
JSON
.