Security update for shim SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2629-1 Final 1 1 2020-09-14T16:12:03Z current 2020-09-14T16:12:03Z 2020-09-14T16:12:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for shim This update for shim fixes the following issues: This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by disallowing binaries signed by the previous SUSE UEFI signing key from booting. This update should only be installed after updates of grub2, the Linux kernel and (if used) Xen from July / August 2020 are applied. Changes: Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + Add dbx-cert.tar.xz which contains the certificates to block and a script, generate-vendor-dbx.sh, to generate vendor-dbx.bin + Add vendor-dbx.bin as the vendor dbx to block unwanted keys - Update the path to grub-tpm.efi in shim-install (bsc#1174320) - Only check EFI variable copying when Secure Boot is enabled (bsc#1173411) - Use the full path of efibootmgr to avoid errors when invoking shim-install from packagekitd (bsc#1168104) - shim-install: add check for btrfs is used as root file system to enable relative path lookup for file. (bsc#1153953) - shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-2629,SUSE-SLE-Module-Basesystem-15-SP1-2020-2629,SUSE-SLE-Module-Basesystem-15-SP2-2020-2629 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202629-1/ Link for SUSE-SU-2020:2629-1 https://lists.suse.com/pipermail/sle-security-updates/2020-September/007421.html E-Mail link for SUSE-SU-2020:2629-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1113225 SUSE Bug 1113225 https://bugzilla.suse.com/1121268 SUSE Bug 1121268 https://bugzilla.suse.com/1153953 SUSE Bug 1153953 https://bugzilla.suse.com/1168104 SUSE Bug 1168104 https://bugzilla.suse.com/1168994 SUSE Bug 1168994 https://bugzilla.suse.com/1173411 SUSE Bug 1173411 https://bugzilla.suse.com/1174320 SUSE Bug 1174320 https://bugzilla.suse.com/1175626 SUSE Bug 1175626 https://bugzilla.suse.com/1175656 SUSE Bug 1175656 https://www.suse.com/security/cve/CVE-2020-10713/ SUSE CVE CVE-2020-10713 page SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Basesystem 15 SP2 shim-15+git47-3.8.1 shim-15+git47-3.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 shim-15+git47-3.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-10713 SUSE Linux Enterprise Module for Basesystem 15 SP1:shim-15+git47-3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:shim-15+git47-3.8.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202629-1/ https://www.suse.com/security/cve/CVE-2020-10713.html CVE-2020-10713 https://bugzilla.suse.com/1168994 SUSE Bug 1168994 https://bugzilla.suse.com/1173456 SUSE Bug 1173456 https://bugzilla.suse.com/1173812 SUSE Bug 1173812 https://bugzilla.suse.com/1199353 SUSE Bug 1199353