Announcement

**jlittle** · Jul 29, 2020, 06:36 PM

My impression is that this is not important. It's a hole in "Secure Boot", which I turn off anyway. It's not a remote execution vulnerability, so access to the hardware is needed, and in that case your security is likely hosed anyway.

**GreyGeek** · Jul 29, 2020, 09:30 PM

The Ubuntu cvd is here: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10713.html
There it is called a "low" priority. It refers to https://ubuntu.com/security/notices/USN-3624-2
which calls it a "medium" priority and refers to https://people.canonical.com/~ubuntu...8-1000156.html
which refers to patch version 2.7.6.
The various CVE's mention Ubuntu versions from 12.04 to 18.04 but syas 18.04 is not affected, but doesn't mention 20.04. In my Kubuntu 20.04 install I have

Code:

$ patch -v
GNU patch 2.7.6
Copyright (C) 2003, 2009-2012 Free Software Foundation, Inc.
Copyright (C) 1988 Larry Wall

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Larry Wall and Paul Eggert

which supposedly is the buggy version. However, I don't use EUFI or SecureBoot. I'm Legacy, so I am not affected.

**claydoh** · Jul 30, 2020, 12:18 AM

Looking at the article, and following the links to the actual announcement:
https://eclypsium.com/2020/07/29/the...e-in-the-boot/

Which leads to these in the references:
https://ubuntu.com/security/notices/USN-4432-1

https://wiki.ubuntu.com/SecurityTeam...cureBootBypass

Update instructions
The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04
grub-efi-amd64-bin - 2.04-1ubuntu26.1
grub-efi-amd64-signed - 1.142.3+2.04-1ubuntu26.1
grub-efi-arm-bin - 2.04-1ubuntu26.1
grub-efi-arm64-bin - 2.04-1ubuntu26.1
grub-efi-arm64-signed - 1.142.3+2.04-1ubuntu26.1
grub-efi-ia32-bin - 2.04-1ubuntu26.1

Ubuntu 18.04
grub-efi-amd64-bin - 2.02-2ubuntu8.16
grub-efi-amd64-signed - 1.93.18+2.02-2ubuntu8.16
grub-efi-arm-bin - 2.02-2ubuntu8.16
grub-efi-arm64-bin - 2.02-2ubuntu8.16
grub-efi-arm64-signed - 1.93.18+2.02-2ubuntu8.16
grub-efi-ia32-bin - 2.02-2ubuntu8.16
grub-efi-ia64-bin - 2.02-2ubuntu8.16

The patches are already out
Easy to check

Code:

$ apt policy grub-efi-amd64-bin 
grub-efi-amd64-bin:
  Installed: [COLOR=#ff0000][B]2.02-2ubuntu8.16[/B][/COLOR]
  Candidate: 2.02-2ubuntu8.16
  Version table:
 *** 2.02-2ubuntu8.16 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.02-2ubuntu8 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Code:

$ apt policy grub-efi-amd64-signed 
grub-efi-amd64-signed:
  Installed: [COLOR=#ff0000][B]1.93.18+2.02-2ubuntu8.16[/B][/COLOR]
  Candidate: 1.93.18+2.02-2ubuntu8.16
  Version table:
 *** 1.93.18+2.02-2ubuntu8.16 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.93+2.02-2ubuntu8 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

I got updated grub packages late yesterday. The above is on my 18.04 based system.

**claydoh** · Jul 30, 2020, 12:19 AM

Originally posted by GreyGeek View Post

The Ubuntu cvd is here: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10713.html

That is not related to BootHole

**jglen490** · Jul 30, 2020, 05:28 AM

I need to check my system's administrator, to make sure he's not doing anything nefarious.

Nope, he's not.

Just got my updates this morning.

**oshunluvr** · Jul 30, 2020, 05:36 AM

Yeah, much ado about nothing it seems. One of the discoverers listed a litany of things that would have to but in place before this would actually be an attack vector.

Funner that it's directly related to "Secure Boot." Talk about an oxymoron.

**GreyGeek** · Jul 30, 2020, 12:51 PM

Originally posted by claydoh View Post

That is not related to BootHole

https://ubuntu.com/blog/mitigating-b...ulnerabilities

**mr_raider** · Jul 30, 2020, 01:20 PM

Anyone wants to ransom ware my PC they are welcome to have it. I bought it refurb anyway, and it still uses DDR3 and has a 5 year old CPU.

**jglen490** · Jul 30, 2020, 04:34 PM

And backup, backup, backup! My data is far more important and valuable than my PC. I have a box o' spares with enough to build another PC - except a power supply. Those are cheap enough anyway!

Announcement

Boot Hole Threat

Boot Hole Threat

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment