Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/29/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'BootHole' Vulnerability Exposes Secure Boot Devices to Attack

A flaw in the GRUB2 bootloader affects most Linux devices and some Windows computers using UEFI Secure Boot.

A newly discovered vulnerability in the GRUB2 bootloader, dubbed BootHole, may threaten Linux and Windows machines using Secure Boot. Attackers who exploit it could interfere with the boot process and control how the operating system (OS) is loaded, bypassing security controls.

The boot process is critical to securing any device. It relies on a variety of firmware to initialize and control different components of a machine, and it coordinates how the OS is loaded.

"During the boot process, anything that loads earlier is generally higher privilege than something that loads later," says Jesse Michael, principal researcher with Eclypsium, where researchers discovered BootHole (CVE-2020-10713). BootHole has a high CVSS score of 8.2. 

Secure Boot is meant to protect the boot process from malicious code. It uses cryptographic signatures to verify each piece of code as needed during the boot process; it also includes the ability to sign bootloaders from non-Microsoft operating systems. Grand Unified Bootloader (GRUB) is the bootloader that loads and transfers control to the OS in most Linux distributions.

While GRUB2 is the primary bootloader for modern Linux distros, this bug affects systems using Secure Boot even if they're not using GRUB2. This issue also extends to Windows devices using Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority, meaning most laptops, desktops, servers, and workstations are affected, along with network appliances and equipment used in the industrial, healthcare, and finance sectors, the researchers report.

"The purpose of Secure Boot was to lock it down to just the signed images," says John Loucaides, vice president of research and development at Eclypsium. "Since this issue is in a signed bootloader, you can drop it on any system running Secure Boot and it would bypass that protection."

BootHole is a buffer overflow vulnerability that exists in the way that GRUB2 parses content from the GRUB2 configuration file. The GRUB2 config file is a text file and usually isn't signed like other files and executables. As a result of this flaw, an attacker could change the contents of the GRUB2 config file to ensure malicious code is run before the OS is loaded.

This attack would require elevated privileges or physical access to a system where Secure Boot is configured to trust the Microsoft UEFI CA. An attacker could install an affected GRUB bootloader to gain even higher privileges and persist on the device. Successful exploitation would let an attacker disable future code integrity checks, allowing more executables and drivers to be loaded. They would have control over the device's OS, applications, and data. 

The attack would work even if Secure Boot is enabled and properly verifying signatures on all loaded executables, researchers report. 

A Complex Fix to a Complex Problem
In a technical write-up of the vulnerability, Eclypsium reports all versions of GRUB2 that load commands from an external grub.cfg configuration file are vulnerable, with the exception of one bootable tool vendor that added custom code for signature verification.

"As such, this will require the release of new installers and bootloaders for all versions of Linux," researchers said. "Vendors will need to release new versions of their bootloader shims to be signed by the Microsoft 3rd Party UEFI CA."

Eclypsium coordinated today's disclosure with OS vendors, manufacturers, and CERTs. New bootloaders will need to be signed and deployed; vulnerable ones should be revoked to prevent adversaries from using older versions in an attack. Companies expected to push advisories and/or updates today include Microsoft, UEFI Security Response Team, Oracle, Red Hat, Canonical, SuSE, Debian, Citrix, VMware, and various OEMs and software vendors.

Until all affected versions are added to the dbx revocation list, an attacker will be able to use a vulnerable version of shim and GRUB2 to target a system – meaning every device that trusts the Microsoft Third Party UEFI CA will be exposed until then. Some OEMs that control both the hardware and software stacks in their devices use their own key to sign GRUB2. They will need to provide updates and revocation of vulnerable versions of GRUB2 for their systems as well.

"It's sort of bad when fixing the problem is a problem, and this is one of those instances," says Loucaides of the complexity of patching BootHole. This issue will require admins of affected devices to update installed versions of operating systems as well as installed images, including disaster recovery media. They will also need to coordinate: If the revocation list is updated before a given Linux bootloader and shim, the OS will not load. Before revocation updates are pushed across an enterprise, recovery and installation media must be updated.  

"That sort of complication is what I try to highlight for folks, especially with a large IT department and one team isn't consulting with the other team when they deploy these updates," says Loucaides. Having all of these updates out at once will require a lot of manual testing on the part of administrators, and it's expected this will be a lengthy process. 

In response to Eclypsium's initial report, Canonical researchers looked at GRUB2 with greater scrutiny and found additional vulnerabilities. An industrywide effort is underway to identify and fix more vulnerabilities that don't yet have individual CVEs assigned.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2020 | 10:25:55 AM
This is terrible but...
For security practitioners this is definitely a grave threat however the name of this vulnerability is phenomenal. I would posit that it is even more comical then the 2017 vulnerability GhostButt that was a winner of the 2017 PWNIE awards.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2020 | 10:27:10 AM
Side Note
Side Note: I'm very happy to be on PTO this week and do not have to explain to management that we have a "BootHole" to worry about.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27956
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
CVE-2020-27957
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
CVE-2020-16140
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
CVE-2020-9982
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
CVE-2020-3855
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.