CVE-2015-8370 — Integer Underflow (Wrap or Wraparound) in Grub2

CWE-264 CWE-191 — Integer Underflow (Wrap or Wraparound)CWE-787 — Out-of-bounds Write10 documents9 sources

Severity

7.4HIGHNVD

EPSS

5.1%

top 10.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Grub2 Fedoraproject Fedora

Timeline

PublishedDec 16

Latest updateMay 14

Description

Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 1.4 | Impact: 5.9

Affected Packages2 packages

▶Debiangnu/grub2< 2.02~beta2-33+3

▶NVDgnu/grub25 versions+4

Also affects: Fedora 23

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-jjvg-65v4-v3cq: Multiple integer underflows in Grub2 1↗2022-05-14

▶

CVEList

CVE-2015-8370: Multiple integer underflows in Grub2 1↗2015-12-16

▶

OSV

CVE-2015-8370: Multiple integer underflows in Grub2 1↗2015-12-16

▶

📋Vendor Advisories

Microsoft

CVE-2015-8370: NIST NVD Details: https://nvd↗2020-08-11

▶

Ubuntu

GRUB vulnerability↗2015-12-15

▶

Red Hat

grub2: buffer overflow when checking password entered during bootup↗2015-12-10

▶

Debian

CVE-2015-8370: grub2 - Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximat...↗2015

▶

💬Community

Bugzilla

CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup [fedora-all]↗2015-12-10

▶

Bugzilla

CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup↗2015-12-01

▶