A new high-risk vulnerability impacting billions of devices worldwide including servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution or Windows system was disclosed by security researchers.
The vulnerability which has been dubbed ‘BootHole’ and tracked as CVE-2020-10713 resides in the GRUB2 bootloader, which, when exploited, could potentially allow attackers bypass the Secure Boot feature and get high-privileged persistent and stealthy access to the targeted systems.
Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) that uses a bootloader to load critical components, peripherals, and the operating system while ensuring that only cryptographically signed code executes during the boot process.
One of the explicit design goals of Secure Boot is to prevent unauthorized code, even running with administrator privileges, from gaining additional privileges and pre-OS persistence by disabling Secure Boot or otherwise modifying the boot chain.
GRUB2 Bootloader Vulnerability
The vulnerability was discovered by researchers from Eclypsium. BootHole is a buffer overflow vulnerability that affects all versions of GRUB2 and exists in the way it parses content from the config file, which typically is not signed like other files and executables—leaving an opportunity for attackers to break the hardware root of trust mechanism.
The grub.cfg file is located in the EFI system partition, and so in order to modify the file, an attacker still needs an initial foothold on the targeted system with admin privileges that would eventually provide the attacker with an additional escalation of privilege and persistence on the device.
GRUB2 is the standard bootloader used by most Linux systems, but it supports other operating systems, kernels, and hypervisors like XEN as well.
The researchers stated that the buffer overflow allows the attacker to gain arbitrary code execution within the UEFI execution environment, which could be used to run malware, alter the boot process, directly patch the OS kernel, or execute any number of other malicious actions.
So, to exploit BootHole flaw on Windows systems, attackers can replace the default bootloaders installed on Windows systems with a vulnerable version of GRUB2 to install the rootkit malware.
The problem is also caused in any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.
This vulnerability can lead to major consequences because the attack allows hackers to execute malicious code even before the operating system boots, making it difficult for security software to detect the presence of malware or remove it.
The researcher also added that the UEFI execution environment does not have Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP/NX) or other exploit mitigation technologies typically found in modern operating systems, so creating exploits for this kind of vulnerability is significantly easier.
The researchers have contacted related industry entities, including OS vendors and computer manufacturers, to help them patch the issue. But it is not that easy to patch it.
Installing patches with updated GRUB2 bootloader alone cannot resolve the issue, because attackers can still replace the device’s existing bootloader with the vulnerable version.
They stated that even “mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack.”
The affected vendors must first need to release the new versions of their bootloader shims to be signed by the Microsoft 3rd Party UEFI CA.
Microsoft have released an advisory acknowledging the issue, informing that they are “working to complete validation and compatibility testing of a required Windows Update that addresses this vulnerability.”
The company recommended users to apply security patches as soon as they are rolled out in the coming weeks.
Besides Microsoft, many popular Linux distributions have also released advisories explaining the flaw, possible mitigations, and timeline on the upcoming security patches.