Billions of Windows and Linux devices are affected by a serious GRUB2 bootloader vulnerability that can be exploited to install persistent and stealthy malware, revealed Wednesday firmware security firm Eclypsium.
Tracked as CVE-2020-10713 and dubbed BootHole, the vulnerability has a CVSS score of 8.2 and Eclypsium claims it affects all operating systems that use GRUB2 with Safe Boot, a mechanism designed to protect the boot process from attacks. In fact, the firm says the bug affects machines that use Secure Boot even though they don’t use GRUB2.
“Fast all signed versions of GRUB2 are vulnerable, meaning that virtually every Linux distribution is affected,” explained Eclypsium in her paper. “GRUB2 also supports other operating systems, kernels, and hypervisors like Xen. The issue also applies to any Windows system with the normal Microsoft Third Party UEFI Certificate Authority that uses Secure Boot.
The company says the vulnerability affects most laptops , desktops, workstations and server systems, as well as network appliances and equipment used in the healthcare, manufacturing and financial sectors.
This vulnerability could be exploited by threat actors to install bootkits or malicious bootloaders that would give them control over the targeted system. Researchers at Eclypsium noted that exploiting the vulnerability requires administrator privileges on the targeted device, but successful exploitation allows the attacker to gain even higher privileges and persist.
BootHole has been identified as a buffer overflow flaw about how GRUB2 parses its configuration file grub.cfg. An intruder can change this file, which is an encrypted text file normally contained in the EFI system partition, to ensure that their malicious code is executed before the operating system is loaded in the UEFI execution environment. This helps the attacker to execute malware, change the boot process or patch the operating system kernel directly.
Following the discovery of the weakness in BootHole by Eclypsium, the Canonical Security team also reviewed GRUB2 and found several other security holes, all of which were rated as medium severity.
Eclypsium has coordinated with Microsoft, Linux distributions, the UEFI Security Response Team, OEMs, CERTs, VMware, Oracle and other impacted software vendors to disclose the vulnerability. Many of them are required to issue advisories or updates that fix BootHole and other problems with GRUB2.
“Mitigation will require the signing and deployment of new bootloaders, and revoking vulnerable bootloaders to prevent opponents from using older, vulnerable versions in an attack. This is likely to be a long process and it will take Organizations some time to complete patching, “the company explained.