Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1424 HPE Gen10 and Gen10 Plus Servers, GRUB2 Secure Boot Vulnerability, Local Execution of Arbitrary Code 27 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HPE ProLiant servers Publisher: Hewlett-Packard Operating System: Network Appliance Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-20233 CVE-2021-20225 CVE-2020-27779 CVE-2020-27749 CVE-2020-25647 CVE-2020-25632 Reference: ESB-2021.0753 ESB-2021.0749 ESB-2021.0748 Original Bulletin: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04116en_us - --------------------------BEGIN INCLUDED TEXT-------------------- SECURITY BULLETIN Document ID: hpesbhf04116en_us Version: 2 HPESBHF04116 rev.2 - HPE Gen10 and Gen10 Plus Servers, GRUB2 Secure Boot Vulnerability, Local Execution of Arbitrary Code NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2021-04-19 Last Updated: 2021-04-23 Potential Security Impact: Local: Execution of Arbitrary Code Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY On March 3rd 2021 the open source GRUB2 boot loader used in HPE ProLiant servers and several operating systems was updated to resolve multiple security vulnerabilities related in the industry standard security feature called UEFI Secure Boot. This issue follows earlier HPE and industry-wide security updates released for GRUB2 nicknamed 'BootHole'. HPE is providing updated software for HPE impacted products. Operating System vendors are providing updates to address these recent security issues with GRUB2. Furthermore, HPE is providing an updated UEFI Forbidden Signature Database (DBX) to protect system secure boot when the secure boot feature is enabled on HPE systems. DBX updates provided by the operating system vendors will also need to be applied to offer complete protection from malicious attacks against secure boot integrity. HPE customers who have enabled UEFI Secure Boot on their systems will be impacted by this vulnerability and will need to apply OS updates and updates to HPE bootable environments (e.g., Service Pack for ProLiant) as well as update the DBX to resolve the issue. Caution: Systems will not boot if the latest DBX (March 2021) is applied and Secure Boot is enabled using boot environments that were released prior to March 2021. This applies to the following boot environments: Intelligent Provisioning, VMware Upgrade Pack, Service Pack for ProLiant (SPP), Synergy Custom SPP, and Scripting Toolkit released before March 2021. Please see the following HPE Customer Bulletins and Customer Notices for critical information on updating your systems: o GRUB2 Vulnerability - UEFI Secure Boot Evasion Vulnerability (CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647) o HPE Gen10 and Gen10 Plus Multiple Server Platforms - UEFI Secure Boot Evasion Vulnerability (CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647) o GRUB2 Vulnerabilities - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI (CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647) References: o CVE-2021-20233 o CVE-2020-25632 o CVE-2020-27779 o CVE-2021-20225 o CVE-2020-27749 o CVE-2020-25647 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. o Scripting Toolkit for Linux - Prior to version 11.51(21 Apr 2021) o Service Pack for ProLiant - Prior to version 2021.04.0 o Intelligent Provisioning - Prior to version 3.62 o HPE ProLiant BL460c Gen10 Server Blade - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL580 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL560 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL385 Gen10 Plus server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL385 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL380 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL360 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL325 Gen10 Plus server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL325 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL180 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL160 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL120 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DL20 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DX385 Gen10 Plus server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DX380 Gen10 server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant DX360 Gen10 server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant MicroServer Gen10 - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant MicroServer Gen10 Plus - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant ML350 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant ML110 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant ML30 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL450 Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL290n Gen10 Plus Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL270d Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL230k Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL220n Gen10 Plus Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL190r Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 o HPE ProLiant XL170r Gen10 Server - Prior to SPP version 2021.04.0 and IP version 3.62 BACKGROUND HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD. Reference V3 Vector V3 Base V2 Vector V2 Base Score Score CVE-2020-25632 (CVSS:3.1/AV:L/AC:L/PR:H/ 8.2 (AV:L/AC:L/Au:N/ 7.2 UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C) CVE-2020-25647 (CVSS:3.1/AV:P/AC:L/PR:N/ 7.6 (AV:L/AC:L/Au:N/ 7.2 UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C) CVE-2020-27749 (CVSS:3.1/AV:L/AC:L/PR:H/ 6.7 (AV:L/AC:L/Au:N/ 7.2 UI:N/S:U/C:H/I:H/A:H) C:C/I:C/A:C) CVE-2020-27779 (CVSS:3.1/AV:L/AC:H/PR:H/ 7.5 (AV:L/AC:M/Au:N/ 6.9 UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C) CVE-2021-20225 (CVSS:3.1/AV:L/AC:L/PR:H/ 6.7 (AV:L/AC:L/Au:N/ 7.2 UI:N/S:U/C:H/I:H/A:H) C:C/I:C/A:C) CVE-2021-20233 (CVSS:3.1/AV:L/AC:L/PR:H/ 8.2 (AV:L/AC:L/Au:N/ 7.2 UI:N/S:C/C:H/I:H/A:H) C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION Operating System vendors are providing updates to address these recent secure boot security issues with GRUB2. Furthermore, HPE is providing an updated UEFI Forbidden Signature Database (DBX) to protect system secure boot when the secure boot feature is enabled on HPE systems. DBX updates provided by the operating system vendors will also need to be applied to offer complete protection from malicious attacks against secure boot integrity. HPE customers who have enabled UEFI Secure Boot on their systems will be impacted by this vulnerability and will need to apply OS updates and updates to HPE bootable environments (e.g., Service Pack for ProLiant) as well as update the DBX to resolve the issue. Caution: Systems will not boot if the latest DBX (March 2021) is applied and Secure Boot is enabled using boot environments that were released prior to March 2021. This applies to the following boot environments: Intelligent Provisioning, VMware Upgrade Pack, Service Pack for ProLiant (SPP), Synergy Custom SPP, and Scripting Toolkit released before March 2021. Existing Synergy Custom SPPs under active support will be updated to include these fixes at a later date. Please see the following HPE Customer Bulletins and Customer Notices for critical information on updating your systems: o GRUB2 Vulnerability - UEFI Secure Boot Evasion Vulnerability (CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647) o HPE Gen10 and Gen10 Plus Multiple Server Platforms - UEFI Secure Boot Evasion Vulnerability (CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647) o GRUB2 Vulnerabilities - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI (CVE-2021-20233, CVE-2020-25632, CVE-2020-27779, CVE-2021-20225, CVE-2020-27749, CVE-2020-25647) HISTORY o Version:1 (rev.1) - 19 April 2021 Initial release o Version:2 (rev.2) - 22 April 2021 Added Scripting Toolkit for Linux - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIeuw+NLKJtyKPYoAQjfoxAAkQqsszjezuiByVMagBi50YnkumwDqBRk VucLUaM6TSsx0q15pYvvWEb917swYbR5xVAvGKCXxFrxJfvoVZXkisDseQs49QOC 3eL01WVRyoeaqlJruW//Jj3zbuSKuVBA/2GmBx/YDTJZVsB3j6XjTtI0OBHZxqft SwB3KK2PLOwEJvRkOj0PiKxQ8/IuWHp9p5gGBnMEfCdk60+Tlt9Xi6U2RxktHJV4 AdVwbkmds6LG6TnK4hXo4EL5Ya/iNliNbQBhxhI3wcFSF1w3hKdq817HujwRJuQm Dt+AhlZE75p+Kk5GdpQSyV6LtiOgcIzHEGvIwZtl0MqC2/nFaG07SPCNGQZ+mJt2 5rIbmX/bItgzlwxmY0GXWoogAl8tGYXG3eeGxax2uLrGSKCKDT2os+54Ulim0B92 CBszew+cS9lEH9bD1p2zFU9edzKNe/z7TWhxzcxngYzvbOUAf7VuIguQihp5e5vQ jax8mw+uBXO76lqxMe/RTBT/7AIEdlyjYZFCgnwRqj1o1dLRhxK+PfsmIVft2OZS mUjCzQy2fIPeisrpqWWmQ7bM+qP8n+UGv1ZRRlf5ICZsilQ5w2x5L66vFH5PrzvR SzTbuNyfVwl7aCzRUipNLZqtCt7vm4VWL3TofkWtxMztE6HnzMxRQtqlFF+zP6ow zTbuS5vM36k= =VDz1 -----END PGP SIGNATURE-----