CVE-2020-10713

Support for security such as Firewalls and securing linux
B3K
Posts: 1
Joined: 2020/07/29 21:58:55

CVE-2020-10713

Post by B3K » 2020/07/29 22:00:57

Any plans to release a fix for Boot Hole?

User avatar
TrevorH
Forum Moderator
Posts: 29105
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2020-10713

Post by TrevorH » 2020/07/29 22:44:16

CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

dasergatskov
Posts: 2
Joined: 2020/07/30 15:05:53

Re: CVE-2020-10713

Post by dasergatskov » 2020/07/30 15:12:12

Not sure if today's (2020-07-30) kernel update addresses this issue, but it kills UEFI boot on my computer reliably.
I reinstalled and run "dnf update" and on reboot it does not see my disk as bootable.
This is a Ryzen system and i do not use secure boot.

Sincerely,

Dmitri.
--

User avatar
TrevorH
Forum Moderator
Posts: 29105
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2020-10713

Post by TrevorH » 2020/07/30 15:19:58

Yes. Personally I would hold off on trying to put these on as there are several reports of it killing machines.

See the thread in the CentOS 7 forums too: viewtopic.php?f=47&t=75195
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Suranovi
Posts: 4
Joined: 2020/07/30 15:19:08

Re: CVE-2020-10713

Post by Suranovi » 2020/07/30 15:49:49

Hello,

I have the same problem here.

I have installed a Centos 8.2 on an headless PC i use as a multi-purpose server (nextcloud, dhcp, dns, etc...). It's based on a basic installation with no desktop environnment. The system boots on UEFI and is installed on an NVME SSD.

This morning i saw that there was a kernel and grub2 update, so i updated it. Now i can't boot it anymore, i'm stuck at BIOS screen, not even on grub error.

I have tried to boot on my Centos USB and reach my system via the troubleshooting option. I can get my system and browse it with a chroot.

However i can't restore it to a functionnal state. I have tried some tutorials on reinstalling grub2 without success because i have no network access.

Hope there'll be an offline patch to correct this.

dasergatskov
Posts: 2
Joined: 2020/07/30 15:05:53

Re: CVE-2020-10713

Post by dasergatskov » 2020/07/30 15:57:31

Here is how to repair it:
https://bugzilla.redhat.com/show_bug.cgi?id=1861977#c7

Dmitri.
--

User avatar
TrevorH
Forum Moderator
Posts: 29105
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2020-10713

Post by TrevorH » 2020/07/30 16:39:32

This is being tracked upstream on https://bugzilla.redhat.com/show_bug.cgi?id=1861977 (for CentOS 8).

I think it would be useful to gather some data about the exact types of machine that are being affected here. Makes? models? BIOS/UEFI versions? Secure Boot on or off? using UEFI or Legacy BIOS? How you applied the update? (I've seen one report that said the GUI software updater broke it and running yum from the command line after restoring back to the old versions worked).

There is a separate bz entry for the same problem on CentOS 7 and that's https://bugzilla.redhat.com/show_bug.cgi?id=1862045 which I'll also post on the CentOS 7 thread of a similar nature.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

hackjoe
Posts: 3
Joined: 2006/03/29 21:07:41

Re: CVE-2020-10713

Post by hackjoe » 2020/07/30 18:23:05

All these are VMs with UEFI and Secure Boot disabled.

KVM: 2 test VMs just to catch this sort of thing running on my workstation, both updated and booted fine.

KVM: 2 VMs running on a production server, both updated and booted fine.

HyperV: 3 VMs on a failover cluster. These failed. Fix was boot a rescue CD. chroot to /mnt/sysimge. Enable the network. SCP the older versions of shimx64.efi and shimx64-centos.efi to /boot/efi/EFI/centos. Reboots fine with the updated kernel. Does do a SELinux relabel with a reboot.

Code: Select all

uname -r
4.18.0-193.14.2.el8_2.x86_64

ll /boot/efi/EFI/centos/
total 7792
-rwx------. 1 root root     134 Jul 28 12:26 BOOTX64.CSV
drwx------. 2 root root    8192 Jul 28 16:46 fonts
-rwx------. 1 root root    4992 Oct 23  2019 grub.cfg
-rwx------. 1 root root    1024 Jul 30 09:58 grubenv
-rwx------. 1 root root 1893144 Jul 28 16:46 grubx64.efi
-rwx------. 1 root root 1160144 Jul 28 12:26 mmx64.efi
-rwx------. 1 root root 1205152 Jul 30 09:54 shimx64-centos.efi
-rwx------. 1 root root 1205160 Jul 28 12:26 shimx64-centos.old
-rwx------. 1 root root 1211224 Jul 30 09:54 shimx64.efi
-rwx------. 1 root root 1244480 Jul 28 12:26 shimx64.old
The strange part is I did a fresh install on the HyperV cluster and that VM boots fine with the updated files. So not sure what breaks during an update because the files clearly seem to work on the cluster.

Code: Select all

uname -r
4.18.0-193.14.2.el8_2.x86_64

ll /boot/efi/EFI/centos/
total 5424
-rwx------. 1 root root     134 Jul 28 12:26 BOOTX64.CSV
drwx------. 2 root root    8192 Jul 28 16:46 fonts
-rwx------. 1 root root    5892 Jul 30 08:27 grub.cfg
-rwx------. 1 root root    1024 Jul 30 08:27 grubenv
-rwx------. 1 root root 1893144 Jul 28 16:46 grubx64.efi
-rwx------. 1 root root 1160144 Jul 28 12:26 mmx64.efi
-rwx------. 1 root root 1205160 Jul 28 12:26 shimx64-centos.efi
-rwx------. 1 root root 1244480 Jul 28 12:26 shimx64.efi

Anthorg
Posts: 2
Joined: 2020/07/30 18:17:26

Re: CVE-2020-10713

Post by Anthorg » 2020/07/30 18:25:10

dasergatskov wrote:
2020/07/30 15:57:31
Here is how to repair it:
https://bugzilla.redhat.com/show_bug.cgi?id=1861977#c7

Dmitri.
--
Hello, I'm new here. I am posting because I need help applying this fix. I have a lot of work that is now locked in an unbootable laptop. If anyone could provide a step-by-step for a layman, it would be greatly appreciated.

If it's helpful in any way, the computer is a Samsung NP270E5J-XD2BR. Update that triggered the problem was performed via the "there's an update" notification pop-up.

Thank you for your help.

User avatar
TrevorH
Forum Moderator
Posts: 29105
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2020-10713

Post by TrevorH » 2020/07/30 18:38:16

Read the linked buzilla entries, at least one of them has instructions on how to boot from the DVD and fix this by backing things out.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 8 - Security Support”