#VU97100 Privilege Defined With Unsafe Actions in grub - CVE-2019-14865


Vulnerability identifier: #VU97100

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14865

CWE-ID: CWE-267

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
grub
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in the grub2-set-bootflag utility. A local user can run this utility under resource pressure (for example by setting RLIMIT), causing grub2 configuration files to be truncated and leaving the system unbootable on subsequent reboots.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

grub: 2.00

External links
https://seclists.org/oss-sec/2019/q4/101
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14865
https://access.redhat.com/errata/RHSA-2020:0335
https://www.openwall.com/lists/oss-security/2024/02/06/3

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for grub2
Amazon Linux AMI update for grub2
Multiple vulnerabilities in Juniper Secure Analytics (JSA)
openEuler update for grub2
Red Hat Enterprise Linux 8 update for grub2
Fedora 30 update for grub2
Denial of service in grub
Fedora 30 update for grub2
Fedora 31 update for grub2
Fedora 30 update for grub2