CVE-2020-27779

Vulnerability

The cutmem command in GRUB2 versions prior to 2.06 does not honor Secure Boot locking, as described in [1]. This flaw allows a privileged attacker to remove address ranges from memory, potentially circumventing Secure Boot protections after understanding GRUB's memory layout. The vulnerability affects GRUB2 before 2.06 and is tracked as CVE-2020-27779 [1][3].

Exploitation

An attacker must have local, privileged access to the system (e.g., root access or the ability to execute GRUB commands). The attacker uses the cutmem command to remove specific memory regions, which can disrupt the integrity of the Secure Boot chain [1]. This requires proper triage of GRUB's memory layout to identify which address ranges to target. No user interaction beyond the attacker's own actions is needed, and the attack is performed at the boot loader level [1].

Impact

Successful exploitation allows the attacker to weaken or bypass UEFI Secure Boot protections, which are intended to ensure that only trusted boot components are loaded. This can lead to the loading of unsigned or malicious boot components, compromising the system's chain of trust [1]. The highest threat is to data confidentiality and integrity, as well as system availability, per the CVE description [1].

Mitigation

The issue is addressed in GRUB2 version 2.06_rc1 and later [1][3]. Red Hat has released updates for Red Hat Enterprise Linux 7.4 Advanced Update Support, 7.4 Update Services for SAP Solutions, and 7.4 Telco Extended Update Support via RHSA-2021:0702 [1]. Gentoo has provided the GLSA 202104-05 advisory recommending an upgrade to >=sys-devel/grub-2.06_rc1 [3]. Fedora has also tracked the fix in bug 1934250 [1]. Users should upgrade GRUB2 to the patched version and run grub-install to apply the update [3].