Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000184338

Dell PowerEdge Servers: Additional Information Regarding the March 2021 (GRUB) Vulnerability Disclosure

Summary: Vulnerabilities in GRUB (Grand Unified Bootloader) may allow Secure Boot bypass.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Security Article Type

Security KB

CVE Identifier

CVE-2020-14372    CVE-2020-25632    CVE-2020-25647    CVE-2020-27749    CVE-2020-27779
CVE-2021-20225    CVE-2021-20233

Issue Summary

Affected products:        
Dell PowerEdge Servers and leveraged platforms

Details

Reference:         
Operating System provider’s advisories are found on the following Dell Security Notice. Refer to KB article 183699:  DSN-2021-002 Dell Response to the March 2, 2021 Grub2 Vulnerability Disclosure

Recommendations

Frequently Asked Questions:        

Q: Which platforms are affected?
A: Dell PowerEdge Servers and leveraged platforms that have UEFI Secure Boot enabled are impacted. Dell recommends that customers review their Operating System provider’s advisories for further information, including appropriate identification and additional mitigation measures.
Customer should follow security best practices and prevent unauthorized physical access to devices. Customer can also take the following measures to further protect themselves from physical attacks.
  1. Set BIOS Admin Password to prevent alteration of the BIOS Setup configuration, such as the boot device, and Secure Boot mode.
  2. Configure boot settings to only allow booting to the internal boot device.
Q: I use a Windows Operating System. Am I impacted?
A: Yes. Windows Operating Systems are impacted. A malicious actor that has physical access to the platform, or OS administrator privileges, may load a vulnerable GRUB UEFI binary and boot time malware. Refer to:  ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Q: I use VMWare ESXi Operating System. Am I impacted?
A. Refer to: VMware response to GRUB2 security vulnerability

Q: What do I need to do to address this vulnerability?
A: GRUB Patch - As part of Linux Operating System vendors’ advisories, they are expected to roll out updated GRUB binaries or in some cases kernel updates as well. We encourage you to follow the published recommendations of the Linux distribution vendors to update the affected packages, in the proper order, to the latest versions supplied by the Linux distribution vendor.

Q: I am running Linux. How do I know if I have Secure Boot enabled on my system?
A: To verify the Secure Boot status of your system, use the following OS command:     

UEFI Boot is disabled; Secure Boot is disabled:     
# mokutil --sb-state
EFI variables are not supported on this system

UEFI Boot is enabled; Secure Boot is disabled:     
# mokutil --sb-state
SecureBoot disabled

Secure Boot is enabled:     
# mokutil --sb-state
SecureBoot enabled

Q: I installed the patches following the Linux distribution advisories but my system no longer boots.
A: If Secure Boot fails after applying the Linux distribution vendor’s updates, use one of the following options to recover:     
  • Boot to a rescue DVD and attempt to reinstall the previous version of shim, grub2, and kernel.
  • Reset the BIOS dbx database to the factory default value and remove any dbx applied updates (either from OS vendor or other means) using the following procedure:
1.    Enter BIOS Setup (F2) 
2.    Select "System Security" 
3.    Set "Secure Boot Policy" to "Custom" 
4.    Select "Secure Boot Custom Policy Settings" 
5.    Select "Forbidden Signature Database (dbx)" 
6.    Select "Restore Default Forbidden Signature Database" -> "Yes" -> "OK" 
7.    Set "Secure Boot Policy" to "Standard" 
8.    Save and exit 

Warning: Once your dbx database is reset to the factory default, your system is no longer patched, and is vulnerable to these, and any other vulnerabilities, remediated in later updates.

Q: I’ve configured my Dell server so that it doesn’t use the public UEFI CA certificate in the Secure Boot Authorized Signature Database (db). Is my Dell server still susceptible to GRUB2 attacks?
A: No, once you’ve done this, you will have implemented the UEFI Secure Boot Customization feature, and your system is no longer susceptible to the currently known vulnerabilities (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707 )

Q: How do I view what’s in my server’s Secure Boot Authorized Signature Database (db)?
A: Please review this document here. You can do this through RACADM, WS-MAN, WINRM, Redfish and BIOS F2 Setup, depending on how you’ve configured access control. 


Additional References:     
For additional information about GRUB2 vulnerabilities, refer to Dell EMC PowerEdge Servers: Additional Information Regarding the GRUB2 Vulnerability – “BootHole”

Legal Information

Article Properties

Affected Product

PowerEdge, Operating Systems

Product

Servers, Product Security Information

Last Published Date

30 Mar 2021

Version

2

Article Type

Security KB

Back to Top