CVE-2020-14309

Vulnerability

In GRUB2 versions before 2.06, the function grub_squash_read_symlink in the squashfs filesystem handler contains an integer overflow when processing a symbolic link inode with a name length of UINT32 bytes. This arithmetic overflow results in a zero-size memory allocation, which subsequently leads to a heap-based buffer overflow with attacker-controlled data [1][2]. The vulnerability is triggered when GRUB2 attempts to read a specially crafted squashfs filesystem.

Exploitation

An attacker with local access to the system can exploit this by providing a malicious squashfs filesystem containing a symbolic link whose name length is set to UINT32. When GRUB2 processes this filesystem during boot, the integer overflow causes a zero-size allocation, and subsequent write operations overflow the heap buffer with attacker-controlled data [2]. No authentication is required beyond the ability to boot the system from the crafted filesystem.

Impact

Successful exploitation allows the attacker to execute arbitrary code within the GRUB2 environment, potentially bypassing UEFI Secure Boot restrictions [1]. This could lead to full compromise of the boot process and persistent control over the system.

Mitigation

The vulnerability is fixed in GRUB2 version 2.06 [1][3]. Users should update to GRUB2 2.06 or later and reinstall the bootloader (e.g., run grub-install). Red Hat has released updates for various Enterprise Linux versions [2]. Gentoo recommends upgrading to >=sys-devel/grub-2.06_rc1 [3]. No workaround is available; updating is required.