[German]Several vulnerabilities have been discovered in the GRUB2 boot loader, which could compromise both the Linux system and the Secure Boot available in Windows during boot process. Invisible malware may be injected on systems.
GRBU2 allows invisible malware
Security researchers from Eclypsium, a security company specializing in firmware and hardware vulnerabilities, have discovered a buffer overflow (CVE-2020-10713) in the GRUB2 boot loader. This is related to the way GRUB2 parses content from its configuration file grub.cfg, which is located externally in the EFI system partition. Attackers could modify “grub.cfg” because it is a simple text file. Any software could be loaded by the boot loader. By modifying GRUB’s configuration file, the attacker could gain control over the boot process. Bleeping Computer has written this article on the subject and ZDNet is preparing it in the following tweet.
Here’s a list of vendors/orgs that Eclypsium expects to release patches or security alerts about BootHole today or in the coming days or weeks. A list with a who’s who names on it.
— Catalin Cimpanu (@campuscodi) July 29, 2020
The devices concerned are also discussed there. The Linux distributors are now working on patches that introduce a digital signature for the files. But that will probably be a long way to solve this issue.
Addendum: Sophos has published this blog post where security experts analyse the situation. They also give some advice on what to do.
Microsoft also warns
On Twitter I came across the following information that the vulnerability in GRUB2 could also affect the secure boot of Windows systems.
Microsoft is aware of a GRUB 2 vulnerability that could impact Secure Boot. See link for guidance and more details: https://t.co/usqyBGatiS
— Security Response (@msftsecresponse) July 29, 2020
Microsoft has published this article, in which they give hints and instructions on how to use BootHole. Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), which is commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow a secure bypass of the boot process.
To exploit this vulnerability, an attacker would have to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and execute arbitrary boot code on the target device. After successful exploitation of this vulnerability, the attacker could disable further code integrity checks, allowing the loading of arbitrary executables and drivers onto the target device.
Microsoft is working to complete validation and compatibility testing for a required Windows update that addresses this vulnerability. If you are an IT professional and want to fix this vulnerability immediately, you can implement the mitigation measures provided by Microsoft in the Mitigation section when you install an untested update. In this support document, Microsoft provides specific details about securing the Secure Boot.
This vulnerability is detectable via the TPM confirmation and Defender ATP. CVEs assigned for this problem are: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707.