Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:40 PM
Connect Directly

'BootHole' Vulnerability Exposes Secure Boot Devices to Attack

A flaw in the GRUB2 bootloader affects most Linux devices and some Windows computers using UEFI Secure Boot.

A newly discovered vulnerability in the GRUB2 bootloader, dubbed BootHole, may threaten Linux and Windows machines using Secure Boot. Attackers who exploit it could interfere with the boot process and control how the operating system (OS) is loaded, bypassing security controls.

The boot process is critical to securing any device. It relies on a variety of firmware to initialize and control different components of a machine, and it coordinates how the OS is loaded.

"During the boot process, anything that loads earlier is generally higher privilege than something that loads later," says Jesse Michael, principal researcher with Eclypsium, where researchers discovered BootHole (CVE-2020-10713). BootHole has a high CVSS score of 8.2. 

Secure Boot is meant to protect the boot process from malicious code. It uses cryptographic signatures to verify each piece of code as needed during the boot process; it also includes the ability to sign bootloaders from non-Microsoft operating systems. Grand Unified Bootloader (GRUB) is the bootloader that loads and transfers control to the OS in most Linux distributions.

While GRUB2 is the primary bootloader for modern Linux distros, this bug affects systems using Secure Boot even if they're not using GRUB2. This issue also extends to Windows devices using Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority, meaning most laptops, desktops, servers, and workstations are affected, along with network appliances and equipment used in the industrial, healthcare, and finance sectors, the researchers report.

"The purpose of Secure Boot was to lock it down to just the signed images," says John Loucaides, vice president of research and development at Eclypsium. "Since this issue is in a signed bootloader, you can drop it on any system running Secure Boot and it would bypass that protection."

BootHole is a buffer overflow vulnerability that exists in the way that GRUB2 parses content from the GRUB2 configuration file. The GRUB2 config file is a text file and usually isn't signed like other files and executables. As a result of this flaw, an attacker could change the contents of the GRUB2 config file to ensure malicious code is run before the OS is loaded.

This attack would require elevated privileges or physical access to a system where Secure Boot is configured to trust the Microsoft UEFI CA. An attacker could install an affected GRUB bootloader to gain even higher privileges and persist on the device. Successful exploitation would let an attacker disable future code integrity checks, allowing more executables and drivers to be loaded. They would have control over the device's OS, applications, and data. 

The attack would work even if Secure Boot is enabled and properly verifying signatures on all loaded executables, researchers report. 

A Complex Fix to a Complex Problem
In a technical write-up of the vulnerability, Eclypsium reports all versions of GRUB2 that load commands from an external grub.cfg configuration file are vulnerable, with the exception of one bootable tool vendor that added custom code for signature verification.

"As such, this will require the release of new installers and bootloaders for all versions of Linux," researchers said. "Vendors will need to release new versions of their bootloader shims to be signed by the Microsoft 3rd Party UEFI CA."

Eclypsium coordinated today's disclosure with OS vendors, manufacturers, and CERTs. New bootloaders will need to be signed and deployed; vulnerable ones should be revoked to prevent adversaries from using older versions in an attack. Companies expected to push advisories and/or updates today include Microsoft, UEFI Security Response Team, Oracle, Red Hat, Canonical, SuSE, Debian, Citrix, VMware, and various OEMs and software vendors.

Until all affected versions are added to the dbx revocation list, an attacker will be able to use a vulnerable version of shim and GRUB2 to target a system – meaning every device that trusts the Microsoft Third Party UEFI CA will be exposed until then. Some OEMs that control both the hardware and software stacks in their devices use their own key to sign GRUB2. They will need to provide updates and revocation of vulnerable versions of GRUB2 for their systems as well.

"It's sort of bad when fixing the problem is a problem, and this is one of those instances," says Loucaides of the complexity of patching BootHole. This issue will require admins of affected devices to update installed versions of operating systems as well as installed images, including disaster recovery media. They will also need to coordinate: If the revocation list is updated before a given Linux bootloader and shim, the OS will not load. Before revocation updates are pushed across an enterprise, recovery and installation media must be updated.  

"That sort of complication is what I try to highlight for folks, especially with a large IT department and one team isn't consulting with the other team when they deploy these updates," says Loucaides. Having all of these updates out at once will require a lot of manual testing on the part of administrators, and it's expected this will be a lengthy process. 

In response to Eclypsium's initial report, Canonical researchers looked at GRUB2 with greater scrutiny and found additional vulnerabilities. An industrywide effort is underway to identify and fix more vulnerabilities that don't yet have individual CVEs assigned.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
7/30/2020 | 10:25:55 AM
This is terrible but...
For security practitioners this is definitely a grave threat however the name of this vulnerability is phenomenal. I would posit that it is even more comical then the 2017 vulnerability GhostButt that was a winner of the 2017 PWNIE awards.
User Rank: Ninja
7/30/2020 | 10:27:10 AM
Side Note
Side Note: I'm very happy to be on PTO this week and do not have to explain to management that we have a "BootHole" to worry about.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.