Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2535 Security Bulletin: GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution 27 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM QRadar SIEM Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-20233 CVE-2021-20225 CVE-2021-3418 CVE-2020-27779 CVE-2020-27749 CVE-2020-25647 CVE-2020-25632 CVE-2020-14372 Reference: ESB-2021.2468 ESB-2021.2263 ESB-2021.2178 ESB-2021.0753 ESB-2021.0748 Original Bulletin: https://www.ibm.com/support/pages/node/6475265 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution Document Information Product: IBM QRadar SIEM Software version: 7.3, 7.4 Operating system(s): Linux Document number: 6475265 Modified date: 26 July 2021 Summary GRUB2 as used by IBM QRadar SIEM is vulnerable to arbitrary code execution Vulnerability Details CVEID: CVE-2021-20225 DESCRIPTION: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw in the short form option parser. By sending specially-crafted commands, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197608 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2020-25632 DESCRIPTION: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the rmmod implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197604 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2021-20233 DESCRIPTION: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a heap out-of-bounds write flaw due to miscalculation of space required for quoting. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197616 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2020-25647 DESCRIPTION: GNU GRUB2 could allow a physical authenticated attacker to execute arbitrary code on the system, caused by an out-of-bound write flaw in the grub_usb_device_initialize function. By using a specially-crafted USB device, an attacker could exploit this vulnerability to execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 6.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197605 for the current score. CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2021-3418 DESCRIPTION: GNU GRUB2 could allow a local authenticated attacker to bypass security restrictions, caused by improper validation of kernel signature when booted directly without shim. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass secure boot to boot any kernel. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197617 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2020-27749 DESCRIPTION: GNU GRUB2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the rub_parser_split_cmdline function. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code and bypass Secure Boot protections. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197606 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2020-14372 DESCRIPTION: GNU GRUB2 could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the acpi command. By using specially-crafted ACPI tables, an attacker could exploit this vulnerability to load unsigned kernel modules and execute arbitrary kexec unsigned on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197603 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVEID: CVE-2020-27779 DESCRIPTION: GNU GRUB2 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to honor Secure Boot locking in the cutmem command. By sending a specially-crafted request, an attacker could exploit this vulnerability to remove address ranges from memory and bypass Secure Boot protections. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197607 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) Affected Products and Versions IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 IBM QRadar SIEM 7.4.0 to 7.4.3 GA Remediation/Fixes QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 9 QRadar / QRM / QVM / QRIF / QNI 7.4.3 Patch 1 Workarounds and Mitigations None Change History 21 Jul 2021: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYP9HyuNLKJtyKPYoAQjy/A/+LqbPUs5WzYWaZ+sCE/mEeU73dbrwSLLZ WoOT+cFWmMleO1HibPNSnsD9PqNmiJK3YggFitJs4imMqmxCci7otq3lLye49sFo O6RXhkhafzus6WqSI0WSLycY+FBBntUkvdUBhCyemJOz5B3qOyp2oz3mJIFDFQPy 8eUEGvjNLHD7ESr5rHW7b+TZkvoSrAzJjmwqAxy4ASOWLqoTi6tjA66rXcqXDHR1 725jOFl+RrmUtPGbUKXqMZQyYWnwC5O0udriE/4Y0XNaMlgI1gNGTwYZh+lbL0lt 90cYi4p1U6z5V3P9SP6MR+CcKXNLi59329tCZQw6x8nu8A0HUpT42sXYptf9I8o9 dn4NTm05LFRY7liKG6hEKtCV7Lxj6sLe5x/cKkHElHxnXWoIISbPJMy9QV+1TKnr 2fjx12/Cfmuzm9nsGtFoNmfCrNwICEjqbl0UXnAQ8YfSqGNMVvBUtFvNOBEKY3T7 OAW03Xy73Ho7MY1X5P2PS261y74VO/fNj36IwoaM41kT4RJMAAeOWLPosi2hWsS9 9O94d6Y3LMMupIE/mIBlc4APrk4oV2UQmVwHzMw0Dy6nGERlzJEX889Q0RZm9oYs Vp25keOHzioyeISrjDjPHDiC52CEHG7vl+gF5KIon9NigMEk3tvJPh3TAKafiFu4 l161UD2X/YE= =IWX5 -----END PGP SIGNATURE-----