BootHole issue allows installing a stealthy and persistent malware

Billions of Windows and Linux devices are affected by a serious GRUB2 bootloader issue, dubbed BootHole, that can be exploited to install a stealthy malware.

Billions of Windows and Linux devices are affected by a serious GRUB2 bootloader vulnerability, tracked as CVE-2020-10713 and dubbed BootHole, which can be exploited by attackers to install persistent and stealthy malware.

According to researchers from the firmware security firm Eclypsium, which discovered the issue, the BootHole flaw affects any operating system that uses GRUB2 with Secure Boot.

GRUB2 (the GRand Unified Bootloader version 2) is a replacement for the original GRUB Legacy boot loader, which is now referred to as “GRUB Legacy”. The mechanism is designed to protect the boot process from attacks.

“The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected.” reads a report published by Eclypsium. “In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.”

The flaw affects the majority of laptops, desktops, workstations, servers, and network appliances and special purpose equipment used in the healthcare, industrial and financial sectors.

The vulnerability could be exploited by an attacker with administrator privileges on the targeted device. The attacker can obtain higher privileges and achieve persistence by exploiting the issue.

BootHole is a buffer overflow vulnerability that is related to the way the GRUB2 parses its grub.cfg configuration file.

The config file is a text file that is typically not signed, an attacker could exploit the vulnerability to execute arbitrary code within GRUB2 and modify the contents of the GRUB2 configuration file. With this trick, the attacker can execute the malicious code before the operating system is loaded, gaining persistence on the device. 

After Eclypsium disclosed the BootHole vulnerability, the Canonical security team discovered several other security issues analyzing GRUB2 implementation.

“All signed versions of GRUB2 that read commands from an external grub.cfg file are vulnerable, affecting every Linux distribution. To date, more than 80 shims are known to be affected. In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue.” states the report.

“Additionally, any hardware root of trust mechanisms that rely on UEFI Secure Boot could be bypassed as well.”

To mitigate the flaw, the bootloaders have to be signed and deployed, experts suggest revoking vulnerable bootloaders. Unfortunately, this process could take a long time.

“While Secure Boot is easily taken for granted by most users, it is the foundation of security within most devices. Once compromised, attackers can gain virtually complete control over the device, its operating system, and its applications and data.” concludes the report. “And as this research shows, when problems are found in the boot process, they can have far-reaching effects across many types of devices.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BootHole)

[adrotate banner=”5″]

[adrotate banner=”13″]