Executive Summary
Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass.
To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.
Microsoft is working to complete validation and compatibility testing of a required Windows Update that addresses this vulnerability. If you are an IT professional and would like to immediately address this vulnerability, please see the mitigation option on installing an un-tested update. When the Windows updates become available, customers will be notified via revision to this advisory. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System.
This vulnerability is detectable via TPM attestation and Defender ATP.
CVEs released for this issue: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707.
Update: March 2, 2021
A new set of similar vulnerabilities has been discovered, documented under: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233.
Update: August 9, 2022
Microsoft has released standalone security update 5012170 to provide protection against the vulnerabilities described in this advisory. See the FAQ section and KB5012170: Security update for Secure Boot DBX: August 9, 2022 for more information about this update.
Background Information
In 2012, Microsoft introduced the Secure Boot feature into the then-new, UEFI-based PC ecosystem.  UEFI Secure Boot is an anti-rootkit feature that defends the boot process from untrusted code execution.  As part of enabling this feature, Microsoft signs boot code both for Windows and 3rd-parties including Linux distributions. This boot code allows Linux systems to take advantage of Secure Boot.
The GRUB vulnerability provides a way to bypass the UEFI Secure Boot security feature for any system that trusts the Microsoft 3rd-party UEFI signer, which includes many PCs.
Mitigations
See the Mitigations section following the Exploitability section.
Recommended Actions
Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
References

Microsoft guidance for applying Secure Boot DBX update
How insights from system attestation can improve enterprise security
Blog: There’s a Hole in the Boot
UEFI Forum: https://uefi.org/revocationlistfile (Applies to CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707).
Canonical: https://ubuntu.com/security/notices/USN-4432-1
Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
HPE: www.hpe.com/info/security-alerts
Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader
SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
VMware: https://kb.vmware.com/s/article/80181
CVE-2020-10713
CVE-2020-14308
CVE-2020-14309
CVE-2020-14310
CVE-2020-14311
CVE-2020-15705
CVE-2020-15706
CVE-2020-15707

CVEs published March 2, 2021:

CVE-2020-14372
CVE-2020-25632
CVE-2020-25647
CVE-2020-27749
CVE-2020-27779
CVE-2021-3418
CVE-2021-20225
CVE-2021-20233