A new vulnerability, named BootHole, has been discovered recently by two Eclypsium researchers, Mickey Shkatov and Jesse Michael, in the GRUB2 bootloader. Most Linux systems utilize GRUB2. It also supports other operating systems such as kernel and hypervisor. According to the release, almost all signed versions of GRUB2 are vulnerable, even if they have enabled secure boot. This also includes those Windows devices which use Secure Boot.
Secure boot is the foundation of security within most devices. If it is compromised, the adversaries can have complete control over the system, its operating system, its applications, and its data. When problems are found in the boot process, as in the case of BootHole, there can be far-reaching consequences.
UEFI Secure Boot is the standard for PCs and servers. The GRUB2 config file is a text file that is not signed like other files and executables. Due to this vulnerability, arbitrary code is executed within GRUB2, and control over the booting of the operating system is compromised. This enables the attacker to modify the contents of the GRUB2 configuration without altering its integrity, which ensures the running of attack code before the loading of the operating system. This is the process through which attackers gain persistence over the device.
The attackers can now execute arbitrary code, which bypasses signature verification. The discovered vulnerability gives the adversary the access to control the loading of the operating system, directly patch the operating system or even direct the bootloader to alternate OS images. The attackers gain access by installing persistent and stealthy boot kits or malicious bootloaders into the target system. It means the attacker has virtually complete control over the victim device. Until now, up to 80 shims have been affected. The report states that the majority of modern systems in use today are exposed to this potential threat. Hardware systems that rely on UEFI Secure boot are also possible under threat.
The reports also addressed ways to mitigate the issue. It claims that the full mitigation of the issue requires coordinated efforts from various entities: affected open-source projects, Microsoft, and the owners of the affected systems. The major steps included updating installers, bootloaders, and shims, signing of new shims, and updating the operating systems of already affected devices.
The bug- CVE-2020-10713 got a rating of 8.2 with CVSS. The National Security Agency (NSA), on the disclosure of the bug issues a mitigation advisory. It had asked the vendors to follow a three-step process as follows:
- Update boot components.
- Test boot component trust revocation.
- Apply boot component trust revocation.
It also advised implementing Custom UEFI Secure Boot Trust as a step for the advance mitigation technique.
The impact that this bug is estimated to create would be vast because it can affect all the systems using Linux. The Eclypsium researchers said that due to the complexity of the systems, the patching process could be slow and full of breakdowns.
You can read the official NSA report here