Eclypsium specialists revealed details a vulnerability dubbed BootHole (CVE-2020-10713).
The problem allows attackers to interfere with the boot process prior to the OS launch. In fact, BootHole is a vulnerability in GRUB2, one of the most popular downloaders today. GRUB2 is used as the main bootloader in all major Linux distributions and is sometimes used for Windows, macOS and BSD systems.
The researchers write that BootHole is a bootkit that allows attackers to tamper with GRUB2, injecting and executing malicious code during the boot process. That is, the attacker gets the opportunity to inject code that fully controls the OS, which "starts" later.
According to Eclypsium, the root of the BootHole vulnerability lies inside the grub.cfg configuration file, from where the bootloader retrieves the settings. Attackers can change the values in this file in such a way as to provoke a buffer overflow in GRUB2 when it reads the grub.cfg file.
In essence, BootHole can be used to modify the bootloader code and even replace it with a malicious or vulnerable version. Even worse, the BootHole attack works even if the Secure Boot protection mechanism is enabled on the server or workstation (for some devices and operating systems, cryptographic verification of the grub.cfg file is not performed).
Fortunately, a number of conditions must be met to implement a BootHole attack. For example, an attacker needs administrator access to interact with the grub.cfg file. That is, first the attacker will have to somehow gain access and high privileges in the target system.
Eclypsium experts reported that BootHole is affecting all Linux distributions, according to them, as they all use GRUB2 and receive commands from an external grub.cfg file. All systems using Secure Boot with the standard Microsoft UEFI CA are also vulnerable.
"We believe that most modern systems in use today, including servers and workstations, laptops and desktops, as well as a large number of OT and IoT systems based on Linux, are potentially affected by this vulnerability," the experts write.
According to the researchers, fixing this bug will take quite a long time, as fixing bootloader problems in general is a complex process (due to the many components and complex cryptography).
Eclypsium coordinated the disclosure of the vulnerability with Microsoft, CERT / CC , Linux distribution developers, UEFI Security Response Team, OEM, CERT, VMware, Oracle and other major software vendors. Many of them are expected to release recommendations and updates soon regarding BootHole and other GRUB2 issues.
So, Microsoft reports that BootHole poses a threat to Windows 10, 8.1, Server 2012, Server 2016, Server 2019 and Server versions 1903, 1909, and 2004. The company is already working on an update that will be distributed through Windows Update.
Linux distribution developers are also actively fixing BootHole and in the process discover a lot of interesting things. For example, Canonical's head of security, Joe McManus, writes:
“We at Canonical, along with the rest of the open source community, have updated GRUB2 to address this vulnerability. In the process, we identified seven additional vulnerabilities in GRUB2, which will also be fixed in the updates released today. The issue itself is not a remote vulnerability and the attacker must have root privileges. With that in mind, we don't think this will be a popular vulnerability in practice. ”
SUSE chief security officer Marcus Meissner also notes that the problem is serious and needs to be fixed, it is generally not so bad:
“Given the need for root access to the bootloader, the described attack is obviously of limited relevance for most cloud computing, data center and personal device scenarios (unless those systems were compromised by another known issue). However, the vulnerability is dangerous if users can gain access to a machine, for example, installed in a public place and operating in an automated kiosk mode. "
However, the Red Hat Enterprise Linux developers are having problems fixing BootHole. For example, users report that after the Red Hat Enterprise Linux (RHEL) 8.2 patch, their systems stopped loading… The problem also affects systems based on RHEL 7.x and 8.x, Atomic Host and OpenShift Container Platform 4, but it seems to only apply to bare-iron servers. RHEL VMs that do not run Secure Boot function normally. Developers promise release a "patch for the patch" in the very near future.
CentOS 7.x and 8.x users too report similar issuesafter installing the fixes. There are also quite a few reports on the net about other boot problems on other Linux distributions (including Ubuntu and Debian). As a result, for now, users are advised to postpone the installation of patches and wait for the situation to clear up.