Researchers at an enterprise security research firm, Eclypsium have discovered a serious vulnerability in the GRUB2 bootloader that can be exploited by attackers to insert and execute malicious code during the boot-loading process.
The vulnerability tracked as CVE-2020-10713 and dubbed “BootHole”, is a buffer overflow vulnerability in GRUB2 (Grand Unified Bootloader), a piece of software that loads an Operating System (OS) into memory when a system boots up.
This flaw compromises all operating systems (OS) that use GRUB2 with Secure Boot, a component designed to protect the boot process from attacks, even if it is active. Also, the vulnerability affects systems using Secure Boot, even if they are not using GRUB2.
“Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels, and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority,” Eclypsium explained in its report.
As a result, the majority of laptops, desktops, servers, and workstations, as well as network appliances and other special-purpose equipment used in industrial, healthcare, financial, and other industries are affected, the company added. Attackers can exploit this vulnerability to install persistent and stealthy bootkits or malicious bootloaders that could give them “near total control” over the victim’s device.
According to the researchers, the actual BootHole vulnerability is located inside the GRUB2 config file (grub.cfg), an external file commonly located in the EFI System Partition. This vulnerability enables arbitrary code execution within GRUB2 and thus control over the booting of the operating system. This would allow an attacker to modify the contents of the GRUB2 configuration file to ensure that the attack code is run before the OS is loaded. In this way, attackers gain persistence on the device.
Eclypsium researchers noted that exploiting this type of vulnerability would require elevated privileges on the targeted device. However, it would provide the attacker with a powerful additional escalation of privilege and persistence on the device, even with Secure Boot enabled and properly performing signature verification on all loaded executables.
All versions of GRUB2 that load commands from an external grub.cfg configuration file is vulnerable. Following the discovery of the BootHole vulnerability, Eclypsium has coordinated the responsible disclosure with a variety of industry entities, including OS vendors, computer manufacturers, and CERTs.
“Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack. This will likely be a long process and take considerable time for organizations to complete patching,” Eclypsium noted.
Joe McManus, Canonical’s security engineering director, said: “Thanks to Eclypsium, we at Canonical, along with the rest of the open-source community, have updated GRUB2 to defend against this vulnerability. During this process, we identified seven additional vulnerabilities in GRUB2, which will also be fixed in the updates released today. The attack itself is not a remote exploit and it requires the attacker to have root privileges. With that in mind, we do not see it being a popular vulnerability used in the wild. However, this effort really exemplifies the spirit of community that makes open source software so secure.”
On the other hand, Marcus Meissner, the lead of the SUSE Security Team, pointed out that while the problem was serious and needed patching, it’s however not that bad.
“Given the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center, and personal device scenarios, unless these systems are already compromised by another known attack. However, it does create an exposure when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode,” Meissner noted.