CVE-2015-8370
Summary
| CVE | CVE-2015-8370 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-12-16 21:59:00 UTC |
| Updated | 2024-01-16 01:15:00 UTC |
| Description | Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 23 | All | All | All |
| Operating System | Fedoraproject | Fedora | 23 | All | All | All |
| Application | Gnu | Grub2 | 1.98 | All | All | All |
| Application | Gnu | Grub2 | 1.99 | All | All | All |
| Application | Gnu | Grub2 | 2.00 | All | All | All |
| Application | Gnu | Grub2 | 2.01 | All | All | All |
| Application | Gnu | Grub2 | 2.02 | All | All | All |
| Application | Gnu | Grub2 | 1.98 | All | All | All |
| Application | Gnu | Grub2 | 1.99 | All | All | All |
| Application | Gnu | Grub2 | 2.00 | All | All | All |
| Application | Gnu | Grub2 | 2.01 | All | All | All |
| Application | Gnu | Grub2 | 2.02 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [security-announce] openSUSE-SU-2015:2392-1: important: Security update | SUSE | lists.opensuse.org | |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| Debian -- Security Information -- DSA-3421-1 grub2 | DEBIAN | www.debian.org | |
| [security-announce] openSUSE-SU-2015:2375-1: important: Security update | SUSE | lists.opensuse.org | |
| oss-security - Back to 28: Grub2 Authentication Bypass 0-Day [CVE-2015-8370] | MLIST | www.openwall.com | |
| Full Disclosure: Back to 28: Grub2 Authentication Bypass 0-Day [CVE-2015-8370] | FULLDISC | seclists.org | |
| [SECURITY] Fedora 23 Update: grub2-2.02-0.25.fc23 | FEDORA | lists.fedoraproject.org | |
| [security-announce] SUSE-SU-2015:2386-1: important: Security update for | SUSE | lists.opensuse.org | |
| [security-announce] SUSE-SU-2015:2399-1: important: Security update for | SUSE | lists.opensuse.org | |
| [SECURITY] Fedora 22 Update: grub2-2.02-0.18.fc22 | FEDORA | lists.fedoraproject.org | |
| [security-announce] SUSE-SU-2015:2385-1: important: Security update for | SUSE | lists.opensuse.org | |
| [security-announce] SUSE-SU-2015:2387-1: important: Security update for | SUSE | lists.opensuse.org | |
| Oracle Linux Bulletin - October 2015 | CONFIRM | www.oracle.com | |
| [security-announce] openSUSE-SU-2016:0036-1: important: Security update | SUSE | lists.opensuse.org | |
| GNU GRUB2 CVE-2015-8370 Multiple Local Authentication Bypass Vulnerabilities | BID | www.securityfocus.com | |
| GNU GRUB Authentication Bug Lets Local Users Bypass Authentication and Gain Elevated Privileges - SecurityTracker | SECTRACK | www.securitytracker.com | |
| GRUB: Authentication bypass (GLSA 201512-03) — Gentoo Security | GENTOO | security.gentoo.org | |
| Grub2 Authentication Bypass ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Back to 28: Grub2 Authentication Bypass 0-Day | MISC | hmarco.org | Exploit |
| oss-security - CVE-2023-4001: a password bypass vulnerability in the downstream GRUB boot manager | www.openwall.com | ||
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| USN-2836-1: GRUB vulnerability | Ubuntu | UBUNTU | www.ubuntu.com | |
| Oracle Critical Patch Update - January 2016 | CONFIRM | www.oracle.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.