SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GNU GRUB Vendors:   GNU [multiple authors]
(CentOS Issues Fix) GNU GRUB Authentication Bug Lets Local Users Bypass Authentication and Gain Elevated Privileges
SecurityTracker Alert ID:  1034428
SecurityTracker URL:  http://securitytracker.com/id/1034428
CVE Reference:   CVE-2015-8370   (Links to External Site)
Date:  Dec 16 2015
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.98 - 2.02
Description:   A vulnerability was reported in GNU GRUB. A local user can obtain elevated privileges on the target system.

A local user can bypass authentication and gain full control of the target system.

The vulnerability resides in 'grub-core/lib/crypto.c' and 'grub-core/normal/auth.c'.

The original advisory is available at:

http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

Hector Marco and Ismael Ripoll reported this vulnerability.

Impact:   A local user can obtain full control of the target system.
Solution:   CentOS has issued a fix.

x86_64:
8603042073286061d4ec3757b5e940aa5e5bbfca1f7f114d8cbaf9e3d27db4e7 grub2-2.02-0.33.el7.centos.1.x86_64.rpm
e2985a01c8c879c855eee9cb61e57ac509ceebc56f6911ee981465e4709e8430 grub2-efi-2.02-0.33.el7.centos.1.x86_64.rpm
f0c0fe813776cc3b948f87fbbe82370f7944babf2ce22d4328379a46f5b2eb7c grub2-efi-modules-2.02-0.33.el7.centos.1.x86_64.rpm
2448ae6c196944fa938a34112fa77d37726ba92db51c362fe1b21c905c43f265 grub2-tools-2.02-0.33.el7.centos.1.x86_64.rpm

Source:
e729b0d48dd2f3ca80b2fccf2defa3bd39b3e541b525bc89d56cbef9c6d0396e grub2-2.02-0.33.el7.centos.1.src.rpm

Cause:   Boundary error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Dec 15 2015 GNU GRUB Authentication Bug Lets Local Users Bypass Authentication and Gain Elevated Privileges



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:2653 Moderate CentOS 7 grub2 Security Update


CentOS Errata and Security Advisory 2015:2653 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-2623.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
8603042073286061d4ec3757b5e940aa5e5bbfca1f7f114d8cbaf9e3d27db4e7  grub2-2.02-0.33.el7.centos.1.x86_64.rpm
e2985a01c8c879c855eee9cb61e57ac509ceebc56f6911ee981465e4709e8430  grub2-efi-2.02-0.33.el7.centos.1.x86_64.rpm
f0c0fe813776cc3b948f87fbbe82370f7944babf2ce22d4328379a46f5b2eb7c  grub2-efi-modules-2.02-0.33.el7.centos.1.x86_64.rpm
2448ae6c196944fa938a34112fa77d37726ba92db51c362fe1b21c905c43f265  grub2-tools-2.02-0.33.el7.centos.1.x86_64.rpm

Source:
e729b0d48dd2f3ca80b2fccf2defa3bd39b3e541b525bc89d56cbef9c6d0396e  grub2-2.02-0.33.el7.centos.1.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC