Want to subscribe to topics you're interested in?
Become a Member

CentOS 7.x CentOS 8.x Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713)

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jul 30, 2020.

  1. buik

    buik “A winner never stops trying.” Premium Member

    1,302
    358
    83
    Apr 29, 2016
    Ratings:
    +1,067
    Local Time:
    2:06 PM
    Already fixed it.
    Seems like I'm suffering from the Cloudflare problems I used to have.

    For example, not being able to log in. Error 5**, logging in but not seeing that you are logged in, certain forum buttons that may or may not temporarily disappear etc.
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    on this forum ??? If you get such issues again, might want to report them at Forum Feedback & Suggestions :)
     
  3. buik

    buik “A winner never stops trying.” Premium Member

    1,302
    358
    83
    Apr 29, 2016
    Ratings:
    +1,067
    Local Time:
    2:06 PM
    I travel quite a lot and get to airports regularly.
    It would just be that Cloudflare doesn't like all those public IP addresses.

    With a fixed IP address from work, home or mobile (fixed and business) its no problem.
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    If you have one of those IPs, I can search my Cloudflare logs to see what's up :)

    edit: you're not coming from an Indian IP ? https://www.cloudflarestatus.com/incidents/nmxgh5pbdkv6

    As to grub2 issue, seems a fix was released and apparently it's due to shim package and not grub2 ? But haven't tried it yet System hangs after POST and the grub menu never loads after applying the RHSA-2020:3216 or RHSA-2020:3217 - Red Hat Customer Portal

    For CentOS 7.8 and Redhat 7.8 Red Hat Customer Portal but I don't have shim package installed so not sure if it applies to reboot bug fix ?

    I do see the fixed shim* package version 15-8.el7 though (previous shim package version was 15-2.el7
    Code (Text):
    yum -q list shim\* grub2\* mokutil --disableplugin=versionlock | tr -s ' ' | column -t     
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-efi-x64.x86_64           1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    Available                      Packages
    grub2.x86_64                   1:2.02-0.86.el7.centos  updates
    grub2-common.noarch            1:2.02-0.86.el7.centos  updates
    grub2-efi-aa64-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64           1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-i386-modules.noarch      1:2.02-0.86.el7.centos  updates
    grub2-pc.x86_64                1:2.02-0.86.el7.centos  updates
    grub2-pc-modules.noarch        1:2.02-0.86.el7.centos  updates
    grub2-ppc-modules.noarch       1:2.02-0.86.el7.centos  updates
    grub2-ppc64-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-ppc64le-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-tools.x86_64             1:2.02-0.86.el7.centos  updates
    grub2-tools-extra.x86_64       1:2.02-0.86.el7.centos  updates
    grub2-tools-minimal.x86_64     1:2.02-0.86.el7.centos  updates
    mokutil.x86_64                 15-8.el7                updates
    shim-ia32.x86_64               15-8.el7                updates
    shim-unsigned-ia32.x86_64      15-8.el7                updates
    shim-unsigned-x64.x86_64       15-8.el7                updates
    shim-x64.x86_64                15-8.el7                updates
    


    and 1862346 – Grub or Shim dies since updating to grub2-2.02-0.86.el7_8 / shim-x64-15-7.el7_8 [rhel-7.8.z]
     
    Last edited: Aug 4, 2020
  5. negative

    negative Active Member

    406
    49
    28
    Apr 11, 2015
    Ratings:
    +96
    Local Time:
    3:06 PM
    1.9.10
    10.1.11
    @eva2000 Thank you for solution

    So; we are waiting the 0.87+ version for delete the versionlock so we are safe right now.
    I was upgrade all today but didn't reboot the,
    and now i saw your notification; so i can reboot it now safely
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    try on test server first the reboot after shim package update
     
  7. negative

    negative Active Member

    406
    49
    28
    Apr 11, 2015
    Ratings:
    +96
    Local Time:
    3:06 PM
    1.9.10
    10.1.11
    My shim package looks like 15-8.el7 already so i think i got fixed shim package when i upgrade today.
    So, only i downgrade the grub2 to 0.81

    Code:
    [23:43][root@host ~]# yum -q list shim\* grub2\* mokutil | tr -s ' ' | column -t
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    Available                      Packages
    grub2-efi-aa64-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64           1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-i386-modules.noarch      1:2.02-0.86.el7.centos  updates
    grub2-ppc-modules.noarch       1:2.02-0.86.el7.centos  updates
    grub2-ppc64-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-ppc64le-modules.noarch   1:2.02-0.86.el7.centos  updates
    mokutil.x86_64                 15-8.el7                updates
    shim-ia32.x86_64               15-8.el7                updates
    shim-unsigned-ia32.x86_64      15-8.el7                updates
    shim-unsigned-x64.x86_64       15-8.el7                updates
    shim-x64.x86_64                15-8.el7                updates
    Edit: shim looks like available upgrade to 15-8.el7 but i can't upgrade it even i run "yum versionlock delete shim\*" command.

    So, how i will upgrade only shim to 15-8 ?
     
    Last edited: Aug 4, 2020
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,842
    377
    83
    May 31, 2014
    Ratings:
    +722
    Local Time:
    3:06 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    At the moment i see: 15-2.el7 :(
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you don't have shim yum package installed so it won't upgrade so probably won't have the reboot issue. Not all servers would have shim package installed. Hence, why it's best to do test reboots on test servers i.e. one without shim yum package installed
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,842
    377
    83
    May 31, 2014
    Ratings:
    +722
    Local Time:
    3:06 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Available 15-2.el7 and not yet 15-8.el7 ....

    Any ideas why?
     
  11. ahmed

    ahmed Active Member

    350
    48
    28
    Feb 21, 2017
    Ratings:
    +61
    Local Time:
    2:06 PM
    Is this bug now fixed or still the same ?
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    seems the issue is fixed and related to the shim packages and not grub2 Red Hat Customer Portal and and 1862045 – Grub or Shim dies since updating to grub2-2.02-0.86.el7_8 / shim-x64-15-7.el7_8 and not all servers will have shim package installed anyway as it only allows to UEFI bios based systems which have Secure Boot enabled and not all servers would be using UEFI bios or UEFI with Secure Boot enabled

    You can check if UEFI secure boot is enabled via mokutil
    Code (Text):
    yum -y install mokutil
    yum versionlock shim\* grub2\* mokutil
    mokutil --sb-state
    

    On an OVH UEFI bios server
    Code (Text):
    mokutil --sb-state
    SecureBoot disabled
    

    On my own OVH non-UEFI server
    Code (Text):
    mokutil --sb-state
    EFI variables are not supported on this system
    

    None of my servers actually use UEFI as mainly VPS servers so harder to verify. @Matt @rdan @pamamolf @Jimmy might have more UEFI based servers i.e. with OVH

    So the grub2 security issue and shim reboot bug only applies to users with systems with UEFI bios and Secure Boot enabled with shim yum package installed.
     
    Last edited: Aug 11, 2020
  13. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    do yum clean all first
    Code (Text):
    yum clean all
    yum -q list shim\* grub2\* mokutil --disableplugin=versionlock | tr -s ' ' | column -t
    
     
  14. negative

    negative Active Member

    406
    49
    28
    Apr 11, 2015
    Ratings:
    +96
    Local Time:
    3:06 PM
    1.9.10
    10.1.11
    If server running over ESXi, these problems doesn't effect to work then ?
    Because, ESXi server told me that

    Code (Text):
    [09:33][root@host ~]# mokutil --sb-state
    EFI variables are not supported on this system


    And

    Code (Text):
    [09:34][root@host ~]# yum -q list shim\* grub2\* mokutil --disableplugin=versionlock | tr -s ' ' | column -t
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    mokutil.x86_64                 15-8.el7                @updates
    Available                      Packages
    grub2.x86_64                   1:2.02-0.86.el7.centos  updates
    grub2-common.noarch            1:2.02-0.86.el7.centos  updates
    grub2-efi-aa64-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64           1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-i386-modules.noarch      1:2.02-0.86.el7.centos  updates
    grub2-pc.x86_64                1:2.02-0.86.el7.centos  updates
    grub2-pc-modules.noarch        1:2.02-0.86.el7.centos  updates
    grub2-ppc-modules.noarch       1:2.02-0.86.el7.centos  updates
    grub2-ppc64-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-ppc64le-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-tools.x86_64             1:2.02-0.86.el7.centos  updates
    grub2-tools-extra.x86_64       1:2.02-0.86.el7.centos  updates
    grub2-tools-minimal.x86_64     1:2.02-0.86.el7.centos  updates
    shim-ia32.x86_64               15-8.el7                updates
    shim-unsigned-ia32.x86_64      15-8.el7                updates
    shim-unsigned-x64.x86_64       15-8.el7                updates
    shim-x64.x86_64                15-8.el7                updates
     
    Last edited: Aug 11, 2020
  15. eva2000

    eva2000 Administrator Staff Member

    45,155
    10,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,919
    Local Time:
    10:06 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    not familiar with ESXi but pretty sure for virtualized environments there would be 2 sets of yum update fixes, one within the guest virtualized container and one at host node higher level which manages the virtualized server container/vps servers.
     
  16. Jon Snow

    Jon Snow Active Member

    544
    72
    28
    Jun 30, 2017
    Ratings:
    +117
    Local Time:
    9:06 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    I'm guessing Linode servers should be fine if you're OK?