Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1424
HPE Gen10 and Gen10 Plus Servers, GRUB2 Secure Boot
Vulnerability, Local Execution of Arbitrary Code
27 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HPE ProLiant servers
Publisher: Hewlett-Packard
Operating System: Network Appliance
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20233 CVE-2021-20225 CVE-2020-27779
CVE-2020-27749 CVE-2020-25647 CVE-2020-25632
Reference: ESB-2021.0753
ESB-2021.0749
ESB-2021.0748
Original Bulletin:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04116en_us
- --------------------------BEGIN INCLUDED TEXT--------------------
SECURITY BULLETIN
Document ID: hpesbhf04116en_us
Version: 2
HPESBHF04116 rev.2 - HPE Gen10 and Gen10 Plus Servers, GRUB2 Secure Boot
Vulnerability, Local Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2021-04-19
Last Updated: 2021-04-23
Potential Security Impact: Local: Execution of Arbitrary Code
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
On March 3rd 2021 the open source GRUB2 boot loader used in HPE ProLiant
servers and several operating systems was updated to resolve multiple security
vulnerabilities related in the industry standard security feature called UEFI
Secure Boot.
This issue follows earlier HPE and industry-wide security updates released for
GRUB2 nicknamed 'BootHole'.
HPE is providing updated software for HPE impacted products.
Operating System vendors are providing updates to address these recent security
issues with GRUB2. Furthermore, HPE is providing an updated UEFI Forbidden
Signature Database (DBX) to protect system secure boot when the secure boot
feature is enabled on HPE systems. DBX updates provided by the operating system
vendors will also need to be applied to offer complete protection from
malicious attacks against secure boot integrity.
HPE customers who have enabled UEFI Secure Boot on their systems will be
impacted by this vulnerability and will need to apply OS updates and updates to
HPE bootable environments (e.g., Service Pack for ProLiant) as well as update
the DBX to resolve the issue.
Caution: Systems will not boot if the latest DBX (March 2021) is applied and
Secure Boot is enabled using boot environments that were released prior to
March 2021. This applies to the following boot environments: Intelligent
Provisioning, VMware Upgrade Pack, Service Pack for ProLiant (SPP), Synergy
Custom SPP, and Scripting Toolkit released before March 2021.
Please see the following HPE Customer Bulletins and Customer Notices for
critical information on updating your systems:
o GRUB2 Vulnerability - UEFI Secure Boot Evasion Vulnerability
(CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225,
CVE-2020-27749, CVE-2020-25647)
o HPE Gen10 and Gen10 Plus Multiple Server Platforms - UEFI Secure
Boot Evasion Vulnerability (CVE-2021-20233, CVE-2020-25632,
CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647)
o GRUB2 Vulnerabilities - CRITICAL UPDATE Secure Boot DBX Updater
for Linux, Windows and UEFI (CVE-2021-20233, CVE-2020-25632,
CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647)
References:
o CVE-2021-20233
o CVE-2020-25632
o CVE-2020-27779
o CVE-2021-20225
o CVE-2020-27749
o CVE-2020-25647
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
o Scripting Toolkit for Linux - Prior to version 11.51(21 Apr 2021)
o Service Pack for ProLiant - Prior to version 2021.04.0
o Intelligent Provisioning - Prior to version 3.62
o HPE ProLiant BL460c Gen10 Server Blade - Prior to SPP version 2021.04.0 and
IP version 3.62
o HPE ProLiant DL580 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL560 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL385 Gen10 Plus server - Prior to SPP version 2021.04.0 and
IP version 3.62
o HPE ProLiant DL385 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL380 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL360 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL325 Gen10 Plus server - Prior to SPP version 2021.04.0 and
IP version 3.62
o HPE ProLiant DL325 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL180 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL160 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL120 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DL20 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DX385 Gen10 Plus server - Prior to SPP version 2021.04.0 and
IP version 3.62
o HPE ProLiant DX380 Gen10 server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant DX360 Gen10 server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant MicroServer Gen10 - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant MicroServer Gen10 Plus - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant ML350 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant ML110 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant ML30 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant XL450 Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant XL290n Gen10 Plus Server - Prior to SPP version 2021.04.0 and
IP version 3.62
o HPE ProLiant XL270d Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant XL230k Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant XL220n Gen10 Plus Server - Prior to SPP version 2021.04.0 and
IP version 3.62
o HPE ProLiant XL190r Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
o HPE ProLiant XL170r Gen10 Server - Prior to SPP version 2021.04.0 and IP
version 3.62
BACKGROUND
HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST,
we will display Version 2.0, 3.0, or 3.1 as provided from NVD.
Reference V3 Vector V3 Base V2 Vector V2 Base
Score Score
CVE-2020-25632 (CVSS:3.1/AV:L/AC:L/PR:H/ 8.2 (AV:L/AC:L/Au:N/ 7.2
UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C)
CVE-2020-25647 (CVSS:3.1/AV:P/AC:L/PR:N/ 7.6 (AV:L/AC:L/Au:N/ 7.2
UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C)
CVE-2020-27749 (CVSS:3.1/AV:L/AC:L/PR:H/ 6.7 (AV:L/AC:L/Au:N/ 7.2
UI:N/S:U/C:H/I:H/A:H) C:C/I:C/A:C)
CVE-2020-27779 (CVSS:3.1/AV:L/AC:H/PR:H/ 7.5 (AV:L/AC:M/Au:N/ 6.9
UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C)
CVE-2021-20225 (CVSS:3.1/AV:L/AC:L/PR:H/ 6.7 (AV:L/AC:L/Au:N/ 7.2
UI:N/S:U/C:H/I:H/A:H) C:C/I:C/A:C)
CVE-2021-20233 (CVSS:3.1/AV:L/AC:L/PR:H/ 8.2 (AV:L/AC:L/Au:N/ 7.2
UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C)
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
RESOLUTION
Operating System vendors are providing updates to address these recent secure
boot security issues with GRUB2.
Furthermore, HPE is providing an updated UEFI Forbidden Signature Database
(DBX) to protect system secure boot when the secure boot feature is enabled on
HPE systems. DBX updates provided by the operating system vendors will also
need to be applied to offer complete protection from malicious attacks against
secure boot integrity.
HPE customers who have enabled UEFI Secure Boot on their systems will be
impacted by this vulnerability and will need to apply OS updates and updates to
HPE bootable environments (e.g., Service Pack for ProLiant) as well as update
the DBX to resolve the issue.
Caution: Systems will not boot if the latest DBX (March 2021) is applied and
Secure Boot is enabled using boot environments that were released prior to
March 2021. This applies to the following boot environments: Intelligent
Provisioning, VMware Upgrade Pack, Service Pack for ProLiant (SPP), Synergy
Custom SPP, and Scripting Toolkit released before March 2021. Existing Synergy
Custom SPPs under active support will be updated to include these fixes at a
later date.
Please see the following HPE Customer Bulletins and Customer Notices for
critical information on updating your systems:
o GRUB2 Vulnerability - UEFI Secure Boot Evasion Vulnerability
(CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225,
CVE-2020-27749, CVE-2020-25647)
o HPE Gen10 and Gen10 Plus Multiple Server Platforms - UEFI Secure
Boot Evasion Vulnerability (CVE-2021-20233, CVE-2020-25632,
CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647)
o GRUB2 Vulnerabilities - CRITICAL UPDATE Secure Boot DBX Updater
for Linux, Windows and UEFI (CVE-2021-20233, CVE-2020-25632,
CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647)
HISTORY
o Version:1 (rev.1) - 19 April 2021 Initial release
o Version:2 (rev.2) - 22 April 2021 Added Scripting Toolkit for Linux
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIeuw+NLKJtyKPYoAQjfoxAAkQqsszjezuiByVMagBi50YnkumwDqBRk
VucLUaM6TSsx0q15pYvvWEb917swYbR5xVAvGKCXxFrxJfvoVZXkisDseQs49QOC
3eL01WVRyoeaqlJruW//Jj3zbuSKuVBA/2GmBx/YDTJZVsB3j6XjTtI0OBHZxqft
SwB3KK2PLOwEJvRkOj0PiKxQ8/IuWHp9p5gGBnMEfCdk60+Tlt9Xi6U2RxktHJV4
AdVwbkmds6LG6TnK4hXo4EL5Ya/iNliNbQBhxhI3wcFSF1w3hKdq817HujwRJuQm
Dt+AhlZE75p+Kk5GdpQSyV6LtiOgcIzHEGvIwZtl0MqC2/nFaG07SPCNGQZ+mJt2
5rIbmX/bItgzlwxmY0GXWoogAl8tGYXG3eeGxax2uLrGSKCKDT2os+54Ulim0B92
CBszew+cS9lEH9bD1p2zFU9edzKNe/z7TWhxzcxngYzvbOUAf7VuIguQihp5e5vQ
jax8mw+uBXO76lqxMe/RTBT/7AIEdlyjYZFCgnwRqj1o1dLRhxK+PfsmIVft2OZS
mUjCzQy2fIPeisrpqWWmQ7bM+qP8n+UGv1ZRRlf5ICZsilQ5w2x5L66vFH5PrzvR
SzTbuNyfVwl7aCzRUipNLZqtCt7vm4VWL3TofkWtxMztE6HnzMxRQtqlFF+zP6ow
zTbuS5vM36k=
=VDz1
-----END PGP SIGNATURE-----