Security research firm Eclypsium has disclosed a vulnerability, BootHole, present in the GRUB 2 bootloader.
The researchers noted that almost all Linux distributions are vulnerable because most of them use GRUB 2 for bootloading. In addition, any Windows device that uses the Microsoft Third Party UEFI Certificate Authority is vulnerable. “Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries,” the Eclypsium team wrote in a post.
By exploiting the vulnerability attackers can gain arbitrary code execution during the boot process, even bypassing security controls like Secure Boot. This allows the attacker to then install bootkits or bootloaders that could give full control over the device.
According to the researchers, the boot process is one of the most important aspects of security.
“It relies on a variety of firmware that controls how a device’s various components and peripherals are initialized and ultimately coordinates the loading of the operating system itself. In general, the earlier code is loaded, the more privileged it is. If this process is compromised, attackers can control how the operating system is loaded and subvert all higher-layer security controls,” the Eclypsium team wrote.
The Eclypsium team has stated that it responsibly disclosed this vulnerability to OS vendors, computer manufacturers, and CERTs. The current mitigation strategy recommended by them is to require that new bootloaders be signed and deployed, while any vulnerable bootloaders be removed. This will prevent attackers from exploiting older, potentially vulnerable bootloaders.
Red Hat also released a statement on BootHole, as several of its products are impacted, including Red Hat Enterprise Linux. The company recommends customers apply available updates as soon as possible. This includes updating grub2 packages, and for customers using Secure Boot, it means updating kernel, fwupdate, fwupd, shim and dbxtool packages.
“Red Hat is aware of a flaw (CVE-2020-10713) in GRUB 2,” said Peter Allor, director of product security at Red Hat. “Product Security has conducted a thorough analysis and understands not only how this flaw impacts Red Hat products, but most importantly how this impacts the Linux kernel. Our PSIRT has been working closely with engineering, cross-functional teams, the Linux community as well as our industry partners to deliver currently available updates for affected Red Hat products, including Red Hat Enterprise Linux.”