Security CentOS 7 grub2 security update bug prevents server reboots workaround

eva2000 · Aug 1, 2020

CentOS 7 & 8 grub2 security update fix for BootHole vulnerability has a bug that prevents server reboots. So a workaround fix requires downgrading yum packages if they have been updated. Centmin Mod LEMP stack user have detailed instructions at CentOS 7.x - CentOS 8.x - Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713) for CentOS 7 (CentOS 8 isn't supported in Centmin Mod yet so wouldn't apply) - you can either exclude or version lock the packages to prevent update until new fixed yum packages are released.

eva2000 · Aug 1, 2020

According to Red Hat Customer Portal, the bad update packages preventing CentOS 7 and 8 from rebooting are

Code (Text):

x86_64
fwupdate-12-6.el7_8.x86_64.rpm
fwupdate-debuginfo-12-6.el7_8.x86_64.rpm
fwupdate-debuginfo-12-6.el7_8.x86_64.rpm
fwupdate-devel-12-6.el7_8.x86_64.rpm
fwupdate-efi-12-6.el7_8.x86_64.rpm
fwupdate-libs-12-6.el7_8.x86_64.rpm
grub2-2.02-0.86.el7_8.x86_64.rpm
grub2-common-2.02-0.86.el7_8.noarch.rpm
grub2-debuginfo-2.02-0.86.el7_8.x86_64.rpm
grub2-debuginfo-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-aa64-modules-2.02-0.86.el7_8.noarch.rpm
grub2-efi-ia32-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-ia32-cdboot-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-ia32-modules-2.02-0.86.el7_8.noarch.rpm
grub2-efi-x64-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-x64-cdboot-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-x64-modules-2.02-0.86.el7_8.noarch.rpm
grub2-pc-2.02-0.86.el7_8.x86_64.rpm
grub2-pc-modules-2.02-0.86.el7_8.noarch.rpm
grub2-ppc-modules-2.02-0.86.el7_8.noarch.rpm
grub2-ppc64-modules-2.02-0.86.el7_8.noarch.rpm
grub2-ppc64le-modules-2.02-0.86.el7_8.noarch.rpm
grub2-tools-2.02-0.86.el7_8.x86_64.rpm
grub2-tools-extra-2.02-0.86.el7_8.x86_64.rpm
grub2-tools-minimal-2.02-0.86.el7_8.x86_64.rpm
mokutil-15-7.el7_8.x86_64.rpm
mokutil-debuginfo-15-7.el7_8.x86_64.rpm
shim-ia32-15-7.el7_8.x86_64.rpm
shim-unsigned-ia32-15-7.el7_9.x86_64.rpm
shim-unsigned-x64-15-7.el7_9.x86_64.rpm
shim-x64-15-7.el7_8.x86_64.rpm

On my CentOS 7 system I have yet to run yum update so grub2 packages are still previous 2.0.2-0.81.el7 versions and not the updated bad packages grub2 2.0.2-0.86.el7

Code (Text):

yum -q list shim\* grub2\* mokutil | tr -s ' ' | column -t
Installed                      Packages
grub2.x86_64                   1:2.02-0.81.el7.centos  @base
grub2-common.noarch            1:2.02-0.81.el7.centos  @base
grub2-efi-x64.x86_64           1:2.02-0.81.el7.centos  @base
grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
Available                      Packages
grub2-efi-aa64-modules.noarch  1:2.02-0.81.el7.centos  base
grub2-efi-ia32.x86_64          1:2.02-0.81.el7.centos  base
grub2-efi-ia32-cdboot.x86_64   1:2.02-0.81.el7.centos  base
grub2-efi-ia32-modules.noarch  1:2.02-0.81.el7.centos  base
grub2-efi-x64-cdboot.x86_64    1:2.02-0.81.el7.centos  base
grub2-efi-x64-modules.noarch   1:2.02-0.81.el7.centos  base
grub2-i386-modules.noarch      1:2.02-0.81.el7.centos  base
grub2-ppc-modules.noarch       1:2.02-0.81.el7.centos  base
grub2-ppc64-modules.noarch     1:2.02-0.81.el7.centos  base
grub2-ppc64le-modules.noarch   1:2.02-0.81.el7.centos  base
mokutil.x86_64                 15-2.el7.centos         base
shim-ia32.x86_64               15-2.el7.centos         base
shim-unsigned-ia32.x86_64      15-2.el7.centos         base
shim-unsigned-x64.x86_64       15-2.el7.centos         base
shim-x64.x86_64                15-2.el7.centos         base

If you see bad 2.0.2-.086.el7 grub2 packages installed from above command, you need to downgrade to previous version first

Code (Text):

yum downgrade shim\* grub2\* mokutil

List available updates listed include the updated bad packages grub2 2.0.2-0.86.el7

Code (Text):

yum -q list updates shim\* grub2\* mokutil | tr -s ' ' | column -t
Updated                     Packages
grub2.x86_64                1:2.02-0.86.el7.centos  updates
grub2-common.noarch         1:2.02-0.86.el7.centos  updates
grub2-efi-x64.x86_64        1:2.02-0.86.el7.centos  updates
grub2-pc.x86_64             1:2.02-0.86.el7.centos  updates
grub2-pc-modules.noarch     1:2.02-0.86.el7.centos  updates
grub2-tools.x86_64          1:2.02-0.86.el7.centos  updates
grub2-tools-extra.x86_64    1:2.02-0.86.el7.centos  updates
grub2-tools-minimal.x86_64  1:2.02-0.86.el7.centos  updates

so for now going to lock in my working 2.0.2-0.81.el7 packages via yum versionlock plugin which Centmin Mod installed rather than do yum.conf excludes - just easier to manage this way for now

Code (Text):

yum versionlock shim\* grub2\* mokutil

output

Code (Text):

yum versionlock shim\* grub2\* mokutil
Loaded plugins: fastestmirror, priorities, versionlock
Adding versionlock on: 1:grub2-tools-minimal-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-tools-extra-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-efi-x64-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-common-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-pc-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-tools-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-pc-modules-2.02-0.81.el7.centos
versionlock added: 8

once locked yum update won't see available updates for locked packages

Code (Text):

yum -q list updates shim\* grub2\* mokutil | tr -s ' ' | column -t
Error: No matching Packages to list

Later when Redhat/CentOS release a fixed grub2 2.0.2-0.87+ or higher version, you can remove the yum versionlock via command below which will allow yum updates to pick up the updated grub2 packages

Code (Text):

yum versionlock delete shim\* grub2\* mokutil                         
Loaded plugins: fastestmirror, priorities, versionlock
Deleting versionlock for: 1:grub2-tools-minimal-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-tools-extra-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-efi-x64-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-common-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-pc-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-tools-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-pc-modules-2.02-0.81.el7.centos.*
versionlock deleted: 8

Log in / Register

Forums

Want to subscribe to topics you're interested in?

Security CentOS 7 grub2 security update bug prevents server reboots workaround

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

Security CentOS 7 grub2 security update bug prevents server reboots workaround

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.