An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker capable of attaching an external drive such as a USB stick containing a file system with a duplicate UUID (the same as in the "/boot/" file system) can bypass the GRUB password protection feature on UEFI systems, which enumerate removable drives before non-removable ones. This issue was introduced in a downstream patch in Red Hat's version of grub2 and does not affect the upstream package.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2024-01-15T11:10:19.517Z
Updated: 2024-05-01T20:20:56.178Z
Reserved: 2023-07-28T20:57:15.937Z
Link: CVE-2023-4001
JSON object: View
NVD Information
Status : Modified
Published: 2024-01-15T11:15:08.270
Modified: 2024-02-16T13:15:09.737
Link: CVE-2023-4001
JSON object: View
Redhat Information
No data.
CWE