Serious BootHole vulnerability puts millions of systems at risk

Security researchers at Eclypsium have disclosed a serious vulnerability in the GRUB2 bootloader that could be used by cyber criminals to take “near total control” of Linux systems during the boot process and install “persistent and stealthy” bootkits or malicious bootloaders that will operate even it Secure Boot is enabled and functioning correctly.

Dubbed BootHole, the 8.2 CVSS-rated CVE-2020-10713 vulnerability affects systems using almost every signed version of GRUB2, which means that virtually every Linux distribution is affected.

However, the problem is understood to be even more extensive than just Linux – GRUB2 is also used to support other operating systems, kernels and hypervisors such as Xen, and the issue also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party Unified Extensible Firmware Interface (UEFI) Certificate Authority – so most laptops, desktops, servers and workstations are at risk.

Separate advisories and updates are expected to be released imminently by Microsoft, the UEFI Security Response Team, Oracle, Red Hat, Canonical, SuSE, Debian, Citrix, VMware and a number of other OEMs and software suppliers, said Eclypsium.

Because the boot process is such a fundamentally important part of how computers work, being able to compromise it means attackers can control how the entire system’s operating system is loaded and subvert pretty much any higher-layer security control that exists.

This particular bug is a buffer overflow vulnerability in how GRUB2 parses content from its configuration file. This enables arbitrary code execution within GRUB2 and control over the boot process. It requires an attacker to have elevated privileges but, as a result, lets them modify the contents of the configuration file to ensure attack code runs before the OS loads, and gain persistence on the device, again regardless of the presence or functionality of Secure Boot.

Ultimately, an actor who successfully exploits the vulnerability could use it to execute a variety of other malicious actions, including exfiltrating data or installing malware or ransomware.

“Eclypsium has coordinated the responsible disclosure of this vulnerability with a variety of industry entities, including OS vendors, computer manufacturers and CERTs,” the firm said in a disclosure blog post, which can be read in full here.

“Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack,” it said. “This will likely be a long process and take considerable time for organisations to complete patching.”

There are a number of reasons for this, not least because UEFI-related updates have a notable history of bricking devices and having to be withdrawn in a hurry, so those affected will need to be cautious in how they proceed.

Eclypsium recommended that IT and security teams check to ensure they have appropriate capabilities for monitoring UEFI bootloaders and firmware and verifying UEFI configurations in their systems, and thoroughly test recovery capabilities as updates become available (including factory reset settings).

In the meantime, it is important to monitor extensively for any threats or that are known to use vulnerable bootloaders to infect targets.

A Suse spokesperson commented: “We’re aware of the Linux vulnerability called BootHole shared by Eclypsium today, and our customers and partners can rest assured we have released fixed grub2 packages which close the BootHole vulnerability for all Suse Linux products today, and are releasing corresponding updates to Linux kernel packages, cloud image and installation media.

“Given the need for physical access to the bootloader, the most likely exposure is when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode. To ensure that sophisticated attackers cannot reinstall old versions of GRUB2, software and hardware vendors are working together. Suse Linux Enterprise provides unprecedented reliability, stability and security to the enterprise, and we are committed to keeping our customers’ and partners’ systems up to date and ready to handle everyday business challenges.”

Joe McManus, director of security at Canonical, added: “CVE-2020-10713 is an interesting vulnerability. Thanks to Eclypsium, we at Canonical, along with the rest of the open source community has updated GRUB2 to defend against this vulnerability. During this process, we identified 7 more vulnerabilities in GRUB2 which will also be fixed in the updates released today. The attack itself is not a remote exploit and it requires the attacker to have root privileges. With that in mind, we do not see it being a popular vulnerability used in the wild. However, this effort really exemplifies the spirit of community that makes open source software so secure.”