Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2020-03625

Опубликовано: 30 июл. 2020
Источник: fstec
CVSS3: 7.3
CVSS2: 4.6
EPSS Низкий

Описание

Уязвимость конфигурационного файла grub.cfg загрузчика операционных систем Grub2 связана с ошибками при нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Вендор

Microsoft Corp.
Red Hat Inc.
Canonical Ltd.
Сообщество свободного программного обеспечения
ООО «РусБИТех-Астра»
Novell Inc.
Erich Boleyn
ООО «Ред Софт»
ФССП России
ООО «Юбитех»
АО «Концерн ВНИИНС»
АО «НТЦ ИТ РОСА»

Наименование ПО

Windows
Red Hat Enterprise Linux
Ubuntu
Debian GNU/Linux
Astra Linux Special Edition
SUSE Linux Enterprise Server for SAP Applications
SUSE OpenStack Cloud
SUSE Linux Enterprise Module for Basesystem
SUSE Enterprise Storage
SUSE Linux Enterprise Point of Sale
Suse Linux Enterprise Server
SUSE Linux Enterprise Module for Open Buildservice Development Tools
SUSE Linux Enterprise Module for Server Applications
HPE Helion Openstack
SUSE Linux Enterprise High Performance Computing
Grub2
РЕД ОС
ОС ТД АИС ФССП России
UBLinux
ОС ОН «Стрелец»
ROSA Virtualization 3.0

Версия ПО

Server 2012 (Windows)
Server 2012 R2 (Windows)
8.1 (Windows)
8.1 (Windows)
Server 2012 (Windows)
Server 2012 R2 (Windows)
8.1 RT (Windows)
10 (Windows)
10 (Windows)
7 (Red Hat Enterprise Linux)
16.04 LTS (Ubuntu)
10 1607 (Windows)
10 1607 (Windows)
Server 2016 (Windows)
7 (Red Hat Enterprise Linux)
16.04 LTS (Ubuntu)
Server 2016 (Windows)
8.1 RT (Windows)
Server 2012 R2 Server Core installation (Windows)
9 (Debian GNU/Linux)
10 1709 (Windows)
10 1709 (Windows)
18.04 LTS (Ubuntu)
10 1803 (Windows)
10 1803 (Windows)
10 1809 (Windows)
10 1809 (Windows)
Server 2019 Server Core installation (Windows)
10 1809 (Windows)
10 1709 (Windows)
10 1803 (Windows)
1.6 «Смоленск» (Astra Linux Special Edition)
12 SP2 (SUSE Linux Enterprise Server for SAP Applications)
12 SP2-BCL (SUSE Linux Enterprise Server for SAP Applications)
12 SP2-ESPOS (SUSE Linux Enterprise Server for SAP Applications)
12 SP2-LTSS (SUSE Linux Enterprise Server for SAP Applications)
12 SP3 (SUSE Linux Enterprise Server for SAP Applications)
12 SP4 (SUSE Linux Enterprise Server for SAP Applications)
7 (SUSE OpenStack Cloud)
8.0 (Debian GNU/Linux)
10 1903 (Windows)
10 1903 (Windows)
10 1903 (Windows)
Server 1903 (Windows)
8 (Red Hat Enterprise Linux)
15 SP1 (SUSE Linux Enterprise Module for Basesystem)
5 (SUSE Enterprise Storage)
12 SP2-CLIENT (SUSE Linux Enterprise Point of Sale)
12 SP2-BCL (Suse Linux Enterprise Server)
12 SP2-ESPOS (Suse Linux Enterprise Server)
15 SP1 (SUSE Linux Enterprise Module for Open Buildservice Development Tools)
15 (SUSE Linux Enterprise Server for SAP Applications)
11 SP4-LTSS (Suse Linux Enterprise Server)
12 SP2-LTSS (Suse Linux Enterprise Server)
11 SP4-LTSS (SUSE Linux Enterprise Server for SAP Applications)
12 SP3-LTSS (Suse Linux Enterprise Server)
15 SP1 (SUSE Linux Enterprise Module for Server Applications)
14.04 ESM (Ubuntu)
8 (SUSE OpenStack Cloud)
12 SP3-BCL (Suse Linux Enterprise Server)
12 SP5 (Suse Linux Enterprise Server)
12 SP3-BCL (SUSE Linux Enterprise Server for SAP Applications)
12 SP3-LTSS (SUSE Linux Enterprise Server for SAP Applications)
12 SP5 (SUSE Linux Enterprise Server for SAP Applications)
Crowbar 8 (SUSE OpenStack Cloud)
10 (Debian GNU/Linux)
8 (HPE Helion Openstack)
12 SP3-ESPOS (Suse Linux Enterprise Server)
12 SP3-ESPOS (SUSE Linux Enterprise Server for SAP Applications)
10 1909 (Windows)
10 1909 (Windows)
10 1909 (Windows)
Server 1909 Server Core Installation (Windows)
9 (SUSE OpenStack Cloud)
15-ESPOS (SUSE Linux Enterprise High Performance Computing)
15-LTSS (SUSE Linux Enterprise High Performance Computing)
15-LTSS (Suse Linux Enterprise Server)
Crowbar 9 (SUSE OpenStack Cloud)
8.0 Update Services for SAP Solutions (Red Hat Enterprise Linux)
15 SP2 (SUSE Linux Enterprise Module for Basesystem)
20.04 LTS (Ubuntu)
15 SP2 (SUSE Linux Enterprise Module for Open Buildservice Development Tools)
15 SP2 (SUSE Linux Enterprise Module for Server Applications)
10 2004 (Windows)
10 2004 (Windows)
10 2004 (Windows)
Server 2004 Server Core Installation (Windows)
8.1 Extended Update Support (Red Hat Enterprise Linux)
12 SP4 LTSS (Suse Linux Enterprise Server)
12 SP4-ESPOS (Suse Linux Enterprise Server)
12 SP4-LTSS (SUSE Linux Enterprise Server for SAP Applications)
12 SP4-ESPOS (SUSE Linux Enterprise Server for SAP Applications)
до 2.06 (Grub2)
7.3 (РЕД ОС)
ИК6 (ОС ТД АИС ФССП России)
до 2204 (UBLinux)
до 16.01.2023 (ОС ОН «Стрелец»)
3.0 (ROSA Virtualization 3.0)

Тип ПО

Операционная система
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

Microsoft Corp. Windows Server 2012
Microsoft Corp. Windows Server 2012 R2
Microsoft Corp. Windows 8.1
Microsoft Corp. Windows 8.1
Microsoft Corp. Windows Server 2012
Microsoft Corp. Windows Server 2012 R2
Microsoft Corp. Windows 8.1 RT
Microsoft Corp. Windows 10
Microsoft Corp. Windows 10
Red Hat Inc. Red Hat Enterprise Linux 7
Canonical Ltd. Ubuntu 16.04 LTS
Microsoft Corp. Windows 10 1607
Microsoft Corp. Windows 10 1607
Microsoft Corp. Windows Server 2016
Red Hat Inc. Red Hat Enterprise Linux 7
Canonical Ltd. Ubuntu 16.04 LTS
Microsoft Corp. Windows Server 2016
Microsoft Corp. Windows 8.1 RT
Microsoft Corp. Windows Server 2012 R2 Server Core installation
Сообщество свободного программного обеспечения Debian GNU/Linux 9
Microsoft Corp. Windows 10 1709
Microsoft Corp. Windows 10 1709
Canonical Ltd. Ubuntu 18.04 LTS
Microsoft Corp. Windows 10 1803
Microsoft Corp. Windows 10 1803
Microsoft Corp. Windows 10 1809
Microsoft Corp. Windows 10 1809
Microsoft Corp. Windows Server 2019 Server Core installation
Microsoft Corp. Windows 10 1809
Microsoft Corp. Windows 10 1709
Microsoft Corp. Windows 10 1803
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.6 «Смоленск»
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2-ESPOS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2-LTSS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4
Сообщество свободного программного обеспечения Debian GNU/Linux 8.0
Microsoft Corp. Windows 10 1903
Microsoft Corp. Windows 10 1903
Microsoft Corp. Windows 10 1903
Microsoft Corp. Windows Server 1903
Red Hat Inc. Red Hat Enterprise Linux 8
Novell Inc. Suse Linux Enterprise Server 12 SP2-BCL
Novell Inc. Suse Linux Enterprise Server 12 SP2-ESPOS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15
Novell Inc. Suse Linux Enterprise Server 11 SP4-LTSS
Novell Inc. Suse Linux Enterprise Server 12 SP2-LTSS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 11 SP4-LTSS
Novell Inc. Suse Linux Enterprise Server 12 SP3-LTSS
Canonical Ltd. Ubuntu 14.04 ESM
Novell Inc. Suse Linux Enterprise Server 12 SP3-BCL
Novell Inc. Suse Linux Enterprise Server 12 SP5
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3-LTSS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Novell Inc. Suse Linux Enterprise Server 12 SP3-ESPOS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3-ESPOS
Microsoft Corp. Windows 10 1909
Microsoft Corp. Windows 10 1909
Microsoft Corp. Windows 10 1909
Microsoft Corp. Windows Server 1909 Server Core Installation
Novell Inc. Suse Linux Enterprise Server 15-LTSS
Red Hat Inc. Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
Canonical Ltd. Ubuntu 20.04 LTS
Microsoft Corp. Windows 10 2004
Microsoft Corp. Windows 10 2004
Microsoft Corp. Windows 10 2004
Microsoft Corp. Windows Server 2004 Server Core Installation
Red Hat Inc. Red Hat Enterprise Linux 8.1 Extended Update Support
Novell Inc. Suse Linux Enterprise Server 12 SP4 LTSS
Novell Inc. Suse Linux Enterprise Server 12 SP4-ESPOS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4-LTSS
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4-ESPOS
Erich Boleyn Grub2 до 2.06
ООО «Ред Софт» РЕД ОС 7.3
ФССП России ОС ТД АИС ФССП России ИК6
ООО «Юбитех» UBLinux до 2204
АО «Концерн ВНИИНС» ОС ОН «Стрелец» до 16.01.2023

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,5)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,3)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для программных продуктов Microsoft Corp.:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2020-10713/
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2020-10713
Для Ubuntu:
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10713.html?_ga=2.63284271.1820037818.1596178505-1110852722.1596178505
Для Astra Linux:
Обновление программного обеспечения (пакета grub2) до 2.02+dfsg1-20+deb10u1 или более поздней версии
Использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16
Для Debian:
Использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2020-10713
Для Ред ОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОС ТД АИС ФССП России:
https://goslinux.fssp.gov.ru/2726972/
Для UBLinux:
https://security.ublinux.ru/CVE-2020-10713
Для ОС ОН «Стрелец»:
Обновление программного обеспечения grub2 до версии 2.06-3~deb10u2.osnova9.strelets
Для программной системы управления средой виртуализации с подсистемой безагентного резервного копирования виртуальных машин «ROSA Virtualization 3.0»: https://abf.rosa.ru/advisories/ROSA-SA-2025-2683

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 58%
0.00369
Низкий

7.3 High

CVSS3

4.6 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2020-10713

CVSS3: 8.2
ubuntu
почти 5 лет назад

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

redhat логотип

CVE-2020-10713

CVSS3: 8.2
redhat
почти 5 лет назад

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

nvd логотип

CVE-2020-10713

CVSS3: 8.2
nvd
почти 5 лет назад

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

msrc логотип

CVE-2020-10713

CVSS3: 8.2
msrc
почти 5 лет назад

Описание отсутствует

debian логотип

CVE-2020-10713

CVSS3: 8.2
debian
почти 5 лет назад

A flaw was found in grub2, prior to version 2.06. An attacker may use ...

EPSS

Процентиль: 58%
0.00369
Низкий

7.3 High

CVSS3

4.6 Medium

CVSS2