Security researcher from Eclypsium has disclosed a vulnerability in the boot loader Grub2 called BootHole, which is mainly used for Linux systems, but also for Windows, macOS and BSD-based operating systems. Attackers can use the vulnerability to manipulate the boot process. Patches and security warnings are now available from, among othersOracle Red Hat , Suse, Debian, Citrix, , VMware as well as various OEMs and software providers.
According to an entry in the Eclypsium blog, the vulnerability was discovered earlier this year. Hackers could inject malicious code and execute it during the boot process to take complete control of the operating system. Such malware is also known as a boot kit. Since it can be in the boot loader or other components such as mainboard or RAM, a boot kit also survives the reinstallation of the operating system.
The actual error should be in the Grub2 configuration file grub.cfg. You take Grub2 system-specific settings. The values stored there can be adjusted so that they trigger a buffer overflow. In addition, it should be possible to replace the entire boot loader with a harmful variant.
BootHole is also able to override an important OS-independent security function. On UEFI-based systems, Secure Boot is actually supposed to prevent changed firmware from being loaded. The function carries out a cryptographic check for this. However, this check does not take into account the grub.cfg file.
However, there are also restrictions for attacks on the BootHole vulnerability. For example, the Grub2 configuration file can only be edited with administrator rights – so an attacker must first secure it. However, vulnerabilities are regularly discovered and also eliminated in operating systems, which enable an unauthorized extension of user rights.
Eclypsium estimates that every Linux distribution is affected by BootHole. “In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is susceptible to this problem,” added the researchers. “Therefore, we believe that the majority of the modern systems used today, including servers and workstations, laptops and desktops, as well as a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities.”
According to Microsoft, all versions ofsuch as .1, Windows RT, Server 2012, 2016, 2019 and Server 1903, 1909 and 2004 affected. Microsoft also refers to an untested patch that is distributed on the UEFI Forum website. A Windows update is currently still undergoing compatibility tests.
Collaboration platform Slack: work efficiently – no matter where
Before COVID-19, remote work was almost unthinkable for many companies. Today they realized that it can work very well if the general conditions are right. Find out in this webinar how you can optimally react to changing working conditions with the Slack collaboration solution.