Cyber attacks are of two types: one in which crooks use advanced techniques to tamper with the systems and the other is when a service reaches the consumers with an innate vulnerability and attackers leverages that bug. Recently, the researchers have traced a vulnerability in the GRUB2 bootloader present in most of the Linux and Windows devices, affecting billions of devices including IoT gadgetry. The BootHole Bug can let attackers steal information and move laterally in the networks.
GRUB2 Bootloader
GRUB2 is an abbreviation for Grand Unified Bootloader version 2. The function of this bootloader is to manage the startup process and transferring control over to the operating system kernel from the firmware. The bootloader comes default in most of the Linux-based and Windows-based devices.
The Windows devices using Secure Boot with Microsoft’s standard Unified Extensible Firmware Interface (UEFI) certificate authority checks the integrity of the codes in the EFI applications using cryptographic signatures during the booting process. The UEFI checks every bit of the firmware and software before gearing the control to the operating system.
The UEFI is the industry standard and uses GRUB2 bootloader in laptops and desktops.
Billions of users around the globe are under the threat of cyber attacks stemming from the BootHole bug.
According to Eclypsium researchers, the bug tracked as CVE-2020-10713 could allow attackers to get around these protections and execute arbitrary code during the boot-up process, even when Secure Boot is enabled and properly performing signature verification.
BootHole Bug
Researchers dubbed it as “boothole” because it renders a hole in the booting process. It is a buffer overflow vulnerability about how GRUB2 parses the config file (grub.cfg) and enables an attacker to execute arbitrary code and gain control over the booting of the operating system.
This vulnerability was assigned CVE-2020-10713 “GRUB2: crafted grub.cfg file can lead to arbitrary code execution during boot process” with a CVSS rating of 8.2 (High) / CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.
The GRUB is a text file which is not signed like other files and executables. This configuration file is stored in the EFI system partition. And attackers can execute arbitrary codes in the file and gaining control on the booting process. This can let attackers alter the content of the file, inject malware, manipulate the boot process, directly patch the OS kernel, and employ any number of nefarious activities.
Furthermore, the boothole bug can let attackers run the attack code before loading of the operating system, bypassing the signature verification. This helps attackers in gaining persistence and ‘near-total control’ on the device.
The affected parties (the list is not complete as the investigation is still ongoing):
- Microsoft
- UEFI Security Response Team (USRT)
- Oracle
- Red Hat (Fedora and RHEL)
- Canonical (Ubuntu)
- SuSE (SLES and openSUSE)
- Debian
- Citrix
- VMware
- Various OEMs
Impact
The Boot Hole vulnerability can be leveraged by the attackers to install crooked boot kits or malicious bootloaders that operate even when Secure Boot is enabled and functioning correctly.
This can ensure attacker code runs before the operating system and can allow the attacker to control how the operating system is loaded, directly patch the operating system, or even direct the bootloader to alternate OS images. It gives the attacker virtually unlimited control over the victim device.
All signed versions of the GRUB2 bootloader present in every Linux distribution is vulnerable. Apart from the Linux based machines, devices using the Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue too.
The modern devices present today including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by the vulnerability.
Mitigation
- Vendors need to release new versions of bootloaders shims and installers for Linux and Microsoft, signed by the Microsoft 3rd Party UEFI CA. This means that every device that trusts the Microsoft 3rd Party UEFI CA will be vulnerable for that period of time.
- The affected organisations have to update their operating system as well as installer images.
- More importantly, UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.
The good news is that the attackers need to have physical access to the system or should have administrator privileges to exploit this vulnerability. But if a system is already infected with malware then threat actors can exploit BootHole bug and gain escalation of privileges.
