BootHole vulnerability in GRUB2 puts Linux and also Windows Secure Boot at risk

[German]Several vulnerabilities have been discovered in the GRUB2 boot loader, which could compromise both the Linux system and the Secure Boot available in Windows during boot process. Invisible malware may be injected on systems.


Advertising

GRBU2 allows invisible malware

Security researchers from Eclypsium, a security company specializing in firmware and hardware vulnerabilities, have discovered a buffer overflow (CVE-2020-10713) in the GRUB2 boot loader. This is related to the way GRUB2 parses content from its configuration file grub.cfg, which is located externally in the EFI system partition. Attackers could modify “grub.cfg” because it is a simple text file. Any software could be loaded by the boot loader. By modifying GRUB’s configuration file, the attacker could gain control over the boot process. Bleeping Computer has written this article on the subject and ZDNet is preparing it in the following tweet.

The devices concerned are also discussed there. The Linux distributors are now working on patches that introduce a digital signature for the files. But that will probably be a long way to solve this issue.

Addendum: Sophos has published this blog post where security experts analyse the situation. They also give some advice on what to do.

Microsoft also warns

On Twitter I came across the following information that the vulnerability in GRUB2 could also affect the secure boot of Windows systems.


Advertising

Microsoft has published this article, in which they give hints and instructions on how to use BootHole. Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), which is commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow a secure bypass of the boot process.

To exploit this vulnerability, an attacker would have to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and execute arbitrary boot code on the target device. After successful exploitation of this vulnerability, the attacker could disable further code integrity checks, allowing the loading of arbitrary executables and drivers onto the target device.

Microsoft is working to complete validation and compatibility testing for a required Windows update that addresses this vulnerability. If you are an IT professional and want to fix this vulnerability immediately, you can implement the mitigation measures provided by Microsoft in the Mitigation section when you install an untested update. In this support document, Microsoft provides specific details about securing the Secure Boot.

This vulnerability is detectable via the TPM confirmation and Defender ATP. CVEs assigned for this problem are: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707.


Advertising


This entry was posted in Linux, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *