American Megatrends (AMI) released Security advisory SA-50085 with the following enhancement: “3rd-party UEFI CA signature” added to the DBx (Forbidden Signature Database) due to known vulnerability (CVE-2020-10713 with severity 8.2) in Linux “GRUB2 loader” which can potentially allow for Secure Boot bypass.

For a Secure Boot enabled system, a new version BIOS will block affected GRUB2 (prior to version 2.06) from booting, thus upgrading GRUB2 prior to BIOS update is required to guarantee system normal operation.

This is the error message that BIOS will produce if the vulnerable GRUB2 loader is detected:

The system boot stopped: caused by secure boot detecting an invalid secure boot signature. Please check the FAQ at https://www.supermicro.com/support/secureboot.pdf

Please read this document on how to update GRUB2 loader and allow for the Secure Boot to succeed with the new BIOS.

Resources:

• CVE-2020-10713