Join the community today
Become a Member

CentOS 7.x CentOS 8.x Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713)

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jul 30, 2020.

  1. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    7:00 PM
    Already fixed it.
    Seems like I'm suffering from the Cloudflare problems I used to have.


    For example, not being able to log in. Error 5**, logging in but not seeing that you are logged in, certain forum buttons that may or may not temporarily disappear etc.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    on this forum ??? If you get such issues again, might want to report them at Forum Feedback & Suggestions :)
     
  3. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    7:00 PM
    I travel quite a lot and get to airports regularly.
    It would just be that Cloudflare doesn't like all those public IP addresses.

    With a fixed IP address from work, home or mobile (fixed and business) its no problem.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you have one of those IPs, I can search my Cloudflare logs to see what's up :)

    edit: you're not coming from an Indian IP ? https://www.cloudflarestatus.com/incidents/nmxgh5pbdkv6

    As to grub2 issue, seems a fix was released and apparently it's due to shim package and not grub2 ? But haven't tried it yet System hangs after POST and the grub menu never loads after applying the RHSA-2020:3216 or RHSA-2020:3217 - Red Hat Customer Portal

    For CentOS 7.8 and Redhat 7.8 Red Hat Customer Portal but I don't have shim package installed so not sure if it applies to reboot bug fix ?

    I do see the fixed shim* package version 15-8.el7 though (previous shim package version was 15-2.el7
    Code (Text):
    yum -q list shim\* grub2\* mokutil --disableplugin=versionlock | tr -s ' ' | column -t     
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-efi-x64.x86_64           1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    Available                      Packages
    grub2.x86_64                   1:2.02-0.86.el7.centos  updates
    grub2-common.noarch            1:2.02-0.86.el7.centos  updates
    grub2-efi-aa64-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64           1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-i386-modules.noarch      1:2.02-0.86.el7.centos  updates
    grub2-pc.x86_64                1:2.02-0.86.el7.centos  updates
    grub2-pc-modules.noarch        1:2.02-0.86.el7.centos  updates
    grub2-ppc-modules.noarch       1:2.02-0.86.el7.centos  updates
    grub2-ppc64-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-ppc64le-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-tools.x86_64             1:2.02-0.86.el7.centos  updates
    grub2-tools-extra.x86_64       1:2.02-0.86.el7.centos  updates
    grub2-tools-minimal.x86_64     1:2.02-0.86.el7.centos  updates
    mokutil.x86_64                 15-8.el7                updates
    shim-ia32.x86_64               15-8.el7                updates
    shim-unsigned-ia32.x86_64      15-8.el7                updates
    shim-unsigned-x64.x86_64       15-8.el7                updates
    shim-x64.x86_64                15-8.el7                updates
    


    and 1862346 – Grub or Shim dies since updating to grub2-2.02-0.86.el7_8 / shim-x64-15-7.el7_8 [rhel-7.8.z]
     
    Last edited: Aug 4, 2020
  5. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:00 PM
    1.9.10
    10.1.11
    @eva2000 Thank you for solution

    So; we are waiting the 0.87+ version for delete the versionlock so we are safe right now.
    I was upgrade all today but didn't reboot the,
    and now i saw your notification; so i can reboot it now safely
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    try on test server first the reboot after shim package update
     
  7. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:00 PM
    1.9.10
    10.1.11
    My shim package looks like 15-8.el7 already so i think i got fixed shim package when i upgrade today.
    So, only i downgrade the grub2 to 0.81

    Code:
    [23:43][root@host ~]# yum -q list shim\* grub2\* mokutil | tr -s ' ' | column -t
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    Available                      Packages
    grub2-efi-aa64-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64           1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-i386-modules.noarch      1:2.02-0.86.el7.centos  updates
    grub2-ppc-modules.noarch       1:2.02-0.86.el7.centos  updates
    grub2-ppc64-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-ppc64le-modules.noarch   1:2.02-0.86.el7.centos  updates
    mokutil.x86_64                 15-8.el7                updates
    shim-ia32.x86_64               15-8.el7                updates
    shim-unsigned-ia32.x86_64      15-8.el7                updates
    shim-unsigned-x64.x86_64       15-8.el7                updates
    shim-x64.x86_64                15-8.el7                updates
    Edit: shim looks like available upgrade to 15-8.el7 but i can't upgrade it even i run "yum versionlock delete shim\*" command.

    So, how i will upgrade only shim to 15-8 ?
     
    Last edited: Aug 4, 2020
  8. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    8:00 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    At the moment i see: 15-2.el7 :(
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you don't have shim yum package installed so it won't upgrade so probably won't have the reboot issue. Not all servers would have shim package installed. Hence, why it's best to do test reboots on test servers i.e. one without shim yum package installed
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    8:00 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Available 15-2.el7 and not yet 15-8.el7 ....

    Any ideas why?
     
  11. ahmed

    ahmed Active Member

    361
    49
    28
    Feb 21, 2017
    Ratings:
    +63
    Local Time:
    8:00 PM
    Is this bug now fixed or still the same ?
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    seems the issue is fixed and related to the shim packages and not grub2 Red Hat Customer Portal and and 1862045 – Grub or Shim dies since updating to grub2-2.02-0.86.el7_8 / shim-x64-15-7.el7_8 and not all servers will have shim package installed anyway as it only allows to UEFI bios based systems which have Secure Boot enabled and not all servers would be using UEFI bios or UEFI with Secure Boot enabled

    You can check if UEFI secure boot is enabled via mokutil
    Code (Text):
    yum -y install mokutil
    yum versionlock shim\* grub2\* mokutil
    mokutil --sb-state
    

    On an OVH UEFI bios server
    Code (Text):
    mokutil --sb-state
    SecureBoot disabled
    

    On my own OVH non-UEFI server
    Code (Text):
    mokutil --sb-state
    EFI variables are not supported on this system
    

    None of my servers actually use UEFI as mainly VPS servers so harder to verify. @Matt @rdan @pamamolf @Jimmy might have more UEFI based servers i.e. with OVH

    So the grub2 security issue and shim reboot bug only applies to users with systems with UEFI bios and Secure Boot enabled with shim yum package installed.
     
    Last edited: Aug 11, 2020
  13. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    do yum clean all first
    Code (Text):
    yum clean all
    yum -q list shim\* grub2\* mokutil --disableplugin=versionlock | tr -s ' ' | column -t
    
     
  14. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    8:00 PM
    1.9.10
    10.1.11
    If server running over ESXi, these problems doesn't effect to work then ?
    Because, ESXi server told me that

    Code (Text):
    [09:33][root@host ~]# mokutil --sb-state
    EFI variables are not supported on this system


    And

    Code (Text):
    [09:34][root@host ~]# yum -q list shim\* grub2\* mokutil --disableplugin=versionlock | tr -s ' ' | column -t
    Installed                      Packages
    grub2.x86_64                   1:2.02-0.81.el7.centos  @base
    grub2-common.noarch            1:2.02-0.81.el7.centos  @base
    grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
    grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
    grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
    grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
    grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
    mokutil.x86_64                 15-8.el7                @updates
    Available                      Packages
    grub2.x86_64                   1:2.02-0.86.el7.centos  updates
    grub2-common.noarch            1:2.02-0.86.el7.centos  updates
    grub2-efi-aa64-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32.x86_64          1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-cdboot.x86_64   1:2.02-0.86.el7.centos  updates
    grub2-efi-ia32-modules.noarch  1:2.02-0.86.el7.centos  updates
    grub2-efi-x64.x86_64           1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-cdboot.x86_64    1:2.02-0.86.el7.centos  updates
    grub2-efi-x64-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-i386-modules.noarch      1:2.02-0.86.el7.centos  updates
    grub2-pc.x86_64                1:2.02-0.86.el7.centos  updates
    grub2-pc-modules.noarch        1:2.02-0.86.el7.centos  updates
    grub2-ppc-modules.noarch       1:2.02-0.86.el7.centos  updates
    grub2-ppc64-modules.noarch     1:2.02-0.86.el7.centos  updates
    grub2-ppc64le-modules.noarch   1:2.02-0.86.el7.centos  updates
    grub2-tools.x86_64             1:2.02-0.86.el7.centos  updates
    grub2-tools-extra.x86_64       1:2.02-0.86.el7.centos  updates
    grub2-tools-minimal.x86_64     1:2.02-0.86.el7.centos  updates
    shim-ia32.x86_64               15-8.el7                updates
    shim-unsigned-ia32.x86_64      15-8.el7                updates
    shim-unsigned-x64.x86_64       15-8.el7                updates
    shim-x64.x86_64                15-8.el7                updates
     
    Last edited: Aug 11, 2020
  15. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not familiar with ESXi but pretty sure for virtualized environments there would be 2 sets of yum update fixes, one within the guest virtualized container and one at host node higher level which manages the virtualized server container/vps servers.
     
  16. Jon Snow

    Jon Snow Active Member

    835
    170
    43
    Jun 30, 2017
    Ratings:
    +256
    Local Time:
    2:00 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I'm guessing Linode servers should be fine if you're OK?
     
  17. Andy

    Andy Active Member

    543
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    12:00 PM
    @eva2000
    Is the grub2 issue fixed yet as of today? I remember last time that you said to lock the grub version.
    Everytime to exit the centmin menu 24, it shows this
    Following Updates are available:
    -------------------------------------------------------------
    grub2.x86_64 1:2.02-0.86.el7.centos updates
    grub2-common.noarch 1:2.02-0.86.el7.centos updates
    grub2-pc.x86_64 1:2.02-0.86.el7.centos updates
    grub2-pc-modules.noarch 1:2.02-0.86.el7.centos updates
    grub2-tools.x86_64 1:2.02-0.86.el7.centos updates
    grub2-tools-extra.x86_64 1:2.02-0.86.el7.centos updates
    grub2-tools-minimal.x86_64 1:2.02-0.86.el7.centos updates
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes see CentOS 7.x - CentOS 8.x - Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713) :)
     
  19. Andy

    Andy Active Member

    543
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    12:00 PM
  20. eva2000

    eva2000 Administrator Staff Member

    54,584
    12,224
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,793
    Local Time:
    4:00 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @Andy just quoting the post
    basically only need to versionlock if your SecureBoot state check comes back as enabled. But since the yum packages have been fixed no need to versionlock and you can follow this thread's instructions to remove versionlock and do yum upgrades