A team of cybersecurity researchers has revealed details of a new high-risk vulnerability that affects billions of devices worldwide, including servers and workstations, laptops, desktops, and IoT systems that run almost any distribution. Linux or Windows system.
Nicknamed “BootHole” and labeled CVE-2020-10713, the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could allow attackers to bypass the Secure Boot feature and gain persistent, high-privilege stealthy access to target systems.
He Secure boot It is a security feature of the Unified Extensible Firmware Interface (UEFI), which uses a boot loader to load critical components, peripherals, and the operating system while ensuring that only cryptographically signed code is executed during the boot process.
One of the goals of this “secure boot” is to prevent unauthorized code, even when run with administrator privileges, from gaining additional privileges and persistence prior to system execution by disabling Secure Boot or modifying the boot chain. This is precisely where the problem with GRUB2 lies.
Discovered by Eclypsium researchers, BootHole is a buffer overflow vulnerability It affects all versions of GRUB2 and exists in the way it parses the contents of the configuration file, which is generally not signed like other files and executables, giving attackers a chance to break the trust mechanism. “Buffer overflow allows an attacker to get arbitrary code execution within the UEFI runtime environment, which could be used to run malware, alter the boot process, directly patch the operating system kernel, or perform any number of other malicious actions”, the researchers explained.
GRUB2 vulnerability, severe, but controllable
It should be noted that the grub.cfg file is located on the EFI system partition and therefore, to modify the file, an attacker would need to access the target system with administrator privileges. I mean, to exploit BootHole is must have write access to system files, specifically to the GRUB configuration file.
Additionally, Eclypsium researchers previously reported the problem and the major companies behind Linux distributions that use it are already developing a patch or have released it. For this reason and due to the need for prior access have limited their potential extension: “Given the need for root loader access, the described attack appears to be of limited relevance to most cloud computing, data center, and personal device scenarios, unless these systems are already compromised by another known attack », have clarified from SUSE.
It must be mentioned that the problem can also be extended to any Windows device you use Secure Boot with the Microsoft Third Party UEFI Certification Authority. To exploit BootHole on Windows systems, attackers can replace the installed default bootloaders with a vulnerable version of GRUB2 to install the rootkit malware.
Microsoft recognized the problem and reported that “You are working to complete the validation and compatibility testing of a required Windows update that addresses this vulnerability”. Also recommended to users apply security patches as soon as they are implemented in the coming weeks.
In addition to Microsoft, many popular Linux distributions have also released related notices that explain the vulnerability, potential mitigations, and the timeline for upcoming security patches: