Bug#1105108: grub2: CVE-2025-4382
Salvatore Bonaccorso
carnil at debian.org
Sun May 11 13:11:51 BST 2025
Source: grub2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for grub2.
CVE-2025-4382[0]:
| A flaw was found in systems utilizing LUKS-encrypted disks with GRUB
| configured for TPM-based auto-decryption. When GRUB is set to
| automatically decrypt disks using keys stored in the TPM, it reads
| the decryption key into system memory. If an attacker with physical
| access can corrupt the underlying filesystem superblock, GRUB will
| fail to locate a valid filesystem and enter rescue mode. At this
| point, the disk is already decrypted, and the decryption key remains
| loaded in system memory. This scenario may allow an attacker with
| physical access to access the unencrypted data without any further
| authentication, thereby compromising data confidentiality.
| Furthermore, the ability to force this state through filesystem
| corruption also presents a data integrity concern.
The fix depends code on introducing as well code introduced later to
be able to block command line interface at build time, but my
understanding would be that it is present before?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4382
https://www.cve.org/CVERecord?id=CVE-2025-4382
[1] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=c448f511e74cb7c776b314fcb7943f98d3f22b6d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-grub-devel
mailing list