CVE-2020-10759
Publication date 9 June 2020
Last updated 24 July 2024
Ubuntu priority
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| fwupd | 22.04 LTS jammy |
Fixed 1.3.10-1
|
| 20.04 LTS focal |
Fixed 1.3.9-4ubuntu0.1
|
|
| 18.04 LTS bionic |
Fixed 1.2.10-1ubuntu2~ubuntu18.04.5
|
|
| 16.04 LTS xenial |
Fixed 0.8.3-0ubuntu5.1
|
|
| 14.04 LTS trusty | Not in release | |
| libjcat | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.0 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4395-1
- fwupd vulnerability
- 15 June 2020