CVE-2020-7205

Description

A potential security vulnerability has been identified in HPE Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting ToolKit. The vulnerability could be locally exploited to allow arbitrary code execution during the boot process. **Note:** This vulnerability is related to using insmod in GRUB2 in the specific impacted HPE product and HPE is addressing this issue. HPE has made the following software updates and mitigation information to resolve the vulnerability in Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting ToolKit. HPE provided latest Intelligent Provisioning, Service Pack for ProLiant, and HPE Scripting Toolkit which includes the GRUB2 patch to resolve this vulnerability. These new boot images will update GRUB2 and the Forbidden Signature Database (DBX). After the DBX is updated, users will not be able to boot to the older IP, SPP or Scripting ToolKit with Secure Boot enabled. HPE have provided a standalone DBX update tool to work with Microsoft Windows, and supported Linux Operating Systems. These tools can be used to update the Forbidden Signature Database (DBX) from within the OS. **Note:** This DBX update mitigates the GRUB2 issue with insmod enabled, and the "Boot Hole" issue for HPE signed GRUB2 applications.

6.7

CVSS

Severity: Medium

CVSS 3.1 •

CVSS 2.0 •

EPSS 0.11%

Vendor Advisory hpe.com

Affected: n/a HP Intelligent Provisioning

Affected: n/a HPE ProLiant BL460c Gen9 Server Blade

Affected: n/a HPE ProLiant BL660c Gen9 Server

Affected: n/a HPE ProLiant DL180 Gen9 Server

Affected: n/a HPE ProLiant DL60 Gen9 Server

Affected: n/a HPE ProLiant DL80 Gen9 Server

Affected: n/a HPE ProLiant ML110 Gen9 Server

Affected: n/a HPE ProLiant ML150 Gen9 Server

Affected: n/a HPE ProLiant XL740f Gen9 Server

Affected: n/a HPE ProLiant XL750f Gen9 Server

Affected: n/a HPE Apollo 4200 Gen9 Server

Affected: n/a HPE ProLiant DL20 Gen9 Server

Affected: n/a HPE ProLiant DL560 Gen9 Server

Affected: n/a HPE ProLiant ML30 Gen9 Server

Affected: n/a HPE ProLiant ML350 Gen9 Server

Affected: n/a HPE ProLiant XL170r Gen9 Server

Affected: n/a HPE ProLiant XL190r Gen9 Server

Affected: n/a HPE ProLiant XL230a Gen9 Server

Affected: n/a HPE ProLiant XL250a Gen9 Server

Affected: n/a HPE ProLiant XL260a Gen9 Server

Affected: n/a HPE ProLiant XL450 Gen9 Server

Affected: n/a HPE ProLiant XL730f Gen9 Server

Affected: n/a ProLiant SE2160w Gen9 Server

Affected: n/a HPE ProLiant m510 Server Cartridge

Affected: n/a HPE ProLiant m710x Server Blade

Affected: n/a HPE ProLiant BL460c Gen10 Server Blade

Affected: n/a HPE ProLiant DL360 Gen10 Server

Affected: n/a HPE ProLiant DL380 Gen10 Server

Affected: n/a HPE ProLiant DL560 Gen10 Server

Affected: n/a HPE ProLiant DL580 Gen10 Server

Affected: n/a HPE ProLiant ML110 Gen10 Server

Affected: n/a HPE ProLiant MicroServer Gen10

Affected: n/a HPE Synergy 480 Gen10 Compute Module

Affected: n/a HPE Synergy 660 Gen10 Compute Module

Affected: n/a HPE ProLiant DL180 Gen10 Server

Affected: n/a HPE ProLiant DL160 Gen10 Server

Affected: n/a HPE ProLiant DL120 Gen10 Server

Affected: n/a HPE ProLiant XL270d Gen9 Special Server

Affected: n/a HPE ProLiant DL385 Gen10 Server

Affected: n/a HPE Synergy 660 Gen9 Compute Module

Affected: n/a HPE Synergy 480 Gen9 Compute Module

Affected: n/a HPE ProLiant WS460c Gen9 Graphics Server Blade

Affected: n/a HP ProLiant DL580 Gen8 Server

Affected: n/a HPE Synergy 620 Gen9 Compute Module

Affected: n/a HPE ProLiant ML350 Gen10 Server

Affected: n/a HPE ProLiant DL580 Gen9 Server

Affected: n/a HPE ProLiant DL360 Gen9 Server

Affected: n/a HPE ProLiant XL170r Gen10 Server

Affected: n/a HPE Cloudline CL2100 Gen10 Server

Affected: n/a HPE Cloudline CL2200 Gen10 Server

Affected: n/a HPE Cloudline CL3100 Gen9 Server

Affected: n/a HPE Cloudline CL3150 Gen10 Server (AMD)

Affected: n/a HPE ProLiant ML10 Gen9 Server

Affected: n/a HPE ProLiant DL120 Gen9 Server

Affected: n/a HPE ProLiant DL380 Gen9 Server

Affected: n/a HPE Service Pack for ProLiant

Affected: n/a HPE ProLiant DL160 Gen9 Server

Affected: n/a HPE ProLiant XL270d Gen10 Server

Affected: n/a HPE Cloudline CL5800 Gen9 Server

Affected: n/a HPE Cloudline CL5200 Gen9 Server

Affected: n/a HPE Cloudline CL4100 Gen10 Server

Affected: n/a HPE Cloudline CL3100 Gen10 Server

Affected: n/a HPE Apollo 4200 Gen10 Server

Affected: n/a HPE ProLiant DL325 Gen10 Server

Affected: n/a HPE ProLiant ML30 Gen10 Server

Affected: n/a HPE ProLiant DL20 Gen10 Server

Affected: n/a HPE StoreEasy 1000 Storage Gen9

Affected: n/a HPE StoreEasy 1000 Storage Gen10

Affected: n/a HPE SimpliVity 380 Gen10

Affected: n/a HPE SimpliVity 2600 Gen10

Affected: n/a HPE Cloudline CL2600 Gen10 Server

Affected: n/a HPE Cloudline CL2800 Gen10 Server

Affected: n/a HPE ProLiant e910 Server Blade

Affected: n/a HPE ProLiant m750 Server Blade

Affected: n/a HPE ProLiant m710x-L Server Blade

Affected: n/a HPE Cloudline CL5800 Gen10 Server

Affected: n/a HPE ProLiant MicroServer Gen10 Plus

Affected: n/a HPE ProLiant XL450 Gen10 Server

Affected: n/a HPE ProLiant XL230k Gen10 Server

Affected: n/a HPE ProLiant XL190r Gen10 Server

Affected: n/a HPE SmartStart Scripting Toolkit Software

Affected: n/a HPE Apollo 2000 Gen10 Plus System

Affected: n/a HPE ProLiant DL385 Gen10 Plus server

Affected: n/a HPE ProLiant DL325 Gen10 Plus server

Affected: n/a HPE ProLiant DX385 Gen10 Plus server

Affected: n/a HPE ProLiant XL220n Gen10 Plus Server

Affected: n/a HPE ProLiant XL290n Gen10 Plus Server

Affected: n/a HPE Synergy 480 Gen10 Plus Compute Module

Affected: n/a HPE ProLiant XL925g Gen10 Plus 1U 4-node Configure-to-order Server

Affected: n/a HPE ProLiant e910t Server Blade

References

Link	Tags
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04020en_us	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-7205?: CVE-2020-7205 has been scored as a medium severity vulnerability.
How to fix CVE-2020-7205?: To fix CVE-2020-7205, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-7205 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-7205 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-7205?: CVE-2020-7205 affects n/a HP Intelligent Provisioning, n/a HPE ProLiant BL460c Gen9 Server Blade, n/a HPE ProLiant BL660c Gen9 Server, n/a HPE ProLiant DL180 Gen9 Server, n/a HPE ProLiant DL60 Gen9 Server, n/a HPE ProLiant DL80 Gen9 Server , n/a HPE ProLiant ML110 Gen9 Server, n/a HPE ProLiant ML150 Gen9 Server, n/a HPE ProLiant XL740f Gen9 Server, n/a HPE ProLiant XL750f Gen9 Server, n/a HPE Apollo 4200 Gen9 Server, n/a HPE ProLiant DL20 Gen9 Server, n/a HPE ProLiant DL560 Gen9 Server, n/a HPE ProLiant ML30 Gen9 Server, n/a HPE ProLiant ML350 Gen9 Server, n/a HPE ProLiant XL170r Gen9 Server, n/a HPE ProLiant XL190r Gen9 Server, n/a HPE ProLiant XL230a Gen9 Server, n/a HPE ProLiant XL250a Gen9 Server, n/a HPE ProLiant XL260a Gen9 Server, n/a HPE ProLiant XL450 Gen9 Server, n/a HPE ProLiant XL730f Gen9 Server, n/a ProLiant SE2160w Gen9 Server, n/a HPE ProLiant m510 Server Cartridge, n/a HPE ProLiant m710x Server Blade, n/a HPE ProLiant BL460c Gen10 Server Blade, n/a HPE ProLiant DL360 Gen10 Server, n/a HPE ProLiant DL380 Gen10 Server, n/a HPE ProLiant DL560 Gen10 Server, n/a HPE ProLiant DL580 Gen10 Server, n/a HPE ProLiant ML110 Gen10 Server, n/a HPE ProLiant MicroServer Gen10, n/a HPE Synergy 480 Gen10 Compute Module, n/a HPE Synergy 660 Gen10 Compute Module, n/a HPE ProLiant DL180 Gen10 Server, n/a HPE ProLiant DL160 Gen10 Server, n/a HPE ProLiant DL120 Gen10 Server, n/a HPE ProLiant XL270d Gen9 Special Server, n/a HPE ProLiant DL385 Gen10 Server, n/a HPE Synergy 660 Gen9 Compute Module, n/a HPE Synergy 480 Gen9 Compute Module, n/a HPE ProLiant WS460c Gen9 Graphics Server Blade, n/a HP ProLiant DL580 Gen8 Server, n/a HPE Synergy 620 Gen9 Compute Module, n/a HPE ProLiant ML350 Gen10 Server, n/a HPE ProLiant DL580 Gen9 Server, n/a HPE ProLiant DL360 Gen9 Server, n/a HPE ProLiant XL170r Gen10 Server, n/a HPE Cloudline CL2100 Gen10 Server, n/a HPE Cloudline CL2200 Gen10 Server, n/a HPE Cloudline CL3100 Gen9 Server, n/a HPE Cloudline CL3150 Gen10 Server (AMD), n/a HPE ProLiant ML10 Gen9 Server, n/a HPE ProLiant DL120 Gen9 Server, n/a HPE ProLiant DL380 Gen9 Server, n/a HPE Service Pack for ProLiant, n/a HPE ProLiant DL160 Gen9 Server, n/a HPE ProLiant XL270d Gen10 Server, n/a HPE Cloudline CL5800 Gen9 Server, n/a HPE Cloudline CL5200 Gen9 Server, n/a HPE Cloudline CL4100 Gen10 Server, n/a HPE Cloudline CL3100 Gen10 Server, n/a HPE Apollo 4200 Gen10 Server, n/a HPE ProLiant DL325 Gen10 Server, n/a HPE ProLiant ML30 Gen10 Server, n/a HPE ProLiant DL20 Gen10 Server, n/a HPE StoreEasy 1000 Storage Gen9, n/a HPE StoreEasy 1000 Storage Gen10, n/a HPE SimpliVity 380 Gen10, n/a HPE SimpliVity 2600 Gen10, n/a HPE Cloudline CL2600 Gen10 Server, n/a HPE Cloudline CL2800 Gen10 Server, n/a HPE ProLiant e910 Server Blade, n/a HPE ProLiant m750 Server Blade, n/a HPE ProLiant m710x-L Server Blade, n/a HPE Cloudline CL5800 Gen10 Server, n/a HPE ProLiant MicroServer Gen10 Plus, n/a HPE ProLiant XL450 Gen10 Server, n/a HPE ProLiant XL230k Gen10 Server, n/a HPE ProLiant XL190r Gen10 Server, n/a HPE SmartStart Scripting Toolkit Software, n/a HPE Apollo 2000 Gen10 Plus System, n/a HPE ProLiant DL385 Gen10 Plus server, n/a HPE ProLiant DL325 Gen10 Plus server, n/a HPE ProLiant DX385 Gen10 Plus server, n/a HPE ProLiant XL220n Gen10 Plus Server, n/a HPE ProLiant XL290n Gen10 Plus Server, n/a HPE Synergy 480 Gen10 Plus Compute Module, n/a HPE ProLiant XL925g Gen10 Plus 1U 4-node Configure-to-order Server, n/a HPE ProLiant e910t Server Blade.