There’s a new high-risk open source vulnerability in the news, potentially impacting devices all over the globe—the GRUB2 (the GRand Unified Bootloader version 2) vulnerability. Devices affected include servers, workstations, laptops, desktops, and IoT systems running almost any Linux distribution or Windows system.
Called “Boothole,” the general conclusion is, well, it’s just darn messy.
Found in GRUB2—a standard bootloader used by Linux systems—the vulnerabilities are reported in version 2.04. A bad actor may use the weakness to hijack and tamper with the GRUB verification process, as well as bypass the Secure Boot protections. Once exploited, attackers can gain privileged access to targeted, high-value systems.
According to the CVE advisory:
In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Discovered by researchers from Eclypsium, BootHole is a buffer overflow vulnerability that impacts all versions of GRUB2. It analyzes content from the config file, which isn’t signed like other files. This presents the opportunity for attackers to break the hardware root of the trust mechanism.
Though GRUB2 is the standard bootloader used by most Linux systems, it supports other operating systems, kernels, and hypervisors like XEN.
Can you install updates and patches to fix the problem?
Tricky question with a not so clear answer given it’s a complicated patch issue.Just installing patches with updated GRUB2 bootloader would not resolve the issue, because attackers can still replace the device’s existing bootloader with the vulnerable version.
Eclypsium notes, “Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack.”
For more information on specific patches and mitigation, reference CVE-2020-10713 and the Secunia Advisory ID SA96877.