CVE-2024-56738
Public on 2024-12-29
Modified on 2025-02-10
Description
GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.
This issue requires that the attacker has privileges to access the grub console on EC2. Furthermore, GRUB runs in a single-threaded context during boot which eliminates the common attack vector of timing measurements across threads. We therefore consider this issue unlikely to be exploitable. As a result, Amazon Linux will not be providing fix to the CVE.
This issue requires that the attacker has privileges to access the grub console on EC2. Furthermore, GRUB runs in a single-threaded context during boot which eliminates the common attack vector of timing measurements across threads. We therefore consider this issue unlikely to be exploitable. As a result, Amazon Linux will not be providing fix to the CVE.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | grub2 | No Fix Planned | ||
| Amazon Linux 2023 | grub2 | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 2.3 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |