CVE-2009-4128 — Improper Authentication in Grub

CWE-287 — Improper Authentication7 documents7 sources

Severity

7.2HIGHNVD

EPSS

0.0%

top 88.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Grub2 Debian Grub Debian Grub2 +1 more

Timeline

PublishedDec 1

Latest updateMay 2

Description

GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted portion of a password with the actual password, which makes it easier for physically proximate attackers to conduct brute force attacks and bypass authentication by submitting a password whose length is 1.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages4 packages

▶debiandebian/grub< grub2 1.97+20091115-1 (bookworm)

▶debiandebian/grub2< grub2 1.97+20091115-1 (bookworm)

▶Debiangnu/grub2< 1.97+20091115-1+3

▶NVDgnu/grub_21.97

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-prgr-9xf7-v9fw: GNU GRand Unified Bootloader (GRUB) 2 1↗2022-05-02

▶

OSV

CVE-2009-4128: GNU GRand Unified Bootloader (GRUB) 2 1↗2009-12-01

▶

📋Vendor Advisories

Ubuntu

GRUB 2 vulnerability↗2009-12-09

▶

Red Hat

grub2: Improper password checking↗2009-11-08

▶

Debian

CVE-2009-4128: grub - GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted portion o...↗2009

▶

💬Community

Bugzilla

CVE-2009-4128 grub2: Improper password checking↗2009-12-01

▶