Main Vulnerability Database SB20240806233

SB20240806233 - Amazon Linux AMI update for grub2

Published: August 6, 2024

Security Bulletin ID SB20240806233

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Physical access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Security features bypass (CVE-ID: CVE-2023-4001)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows an attacker to bypass GRUB password protection feature.

The vulnerability exists due to an error in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker with physical access to the system can bypass the GRUB password protection feature on UEFI systems.

Remediation

Install update from vendor's website.

References

https://alas.aws.amazon.com/AL2023/ALAS-2024-555.html