'BootHole' attack impacts Windows and Linux systems using GRUB2 and Secure Boot

Microsoft, Red Hat, Canonical, SuSE, Oracle, VMWare, Citrix, and many OEMs are expected to release BootHole patches.

BootHole

Image: Eclypsium

Windows 10 security: 'So good, it can block zero-days without being patched'

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Read More

Details about a new vulnerability in a core component of the Secure Boot process have been published today.

The vulnerability, codenamed BootHole, allows attackers to tamper with the boot-loading process that precedes starting up the actual operating system (OS).

This process relies on components known as bootloaders that are responsible for loading the firmware of all computer hardware components on which the actual OS runs.

BootHole is a vulnerability in GRUB2, one of today's most popular bootloader components. Currently, GRUB2 is used as the primary bootloader for all major Linux distros, but it can also boot and is sometimes used for Windows, macOS, and BSD-based systems as well.

How BootHole works

The BootHole vulnerability was discovered earlier this year by security researchers from Eclypsium. The actual full technical details about the bug have been published today on the Eclypsium blog.

Researchers say BootHole allows attackers to tamper with the GRUB2 component to insert and execute malicious code during the boot-loading process, effectively allowing attackers to plant code that has full control of the OS, launched at a later point.

This type of malware is usually known as a bootkit because it lives inside bootloaders, in the motherboard physical memory, in locations separate from the actual OS, allowing it to survive OS reinstalls.

According to Eclypsium, the actual BootHole vulnerability is located inside grub.cfg, a configuration file separate from the actual GRUB2 component, from where the bootloader pulls system-specific settings. Eclypsium says that attackers can modify values in this file to trigger a buffer overflow inside the GRUB2 component when it reads the file on every OS boot.

The image below shows a simplified explanation of the BootHole attack, where attackers can piggyback on the "overflowing" code from one or more grub.cfg options to execute malicious commands inside the GRUB2 component.

boothole-details.png

Eclypsium says BootHole can be (ab)used to tamper with the bootloader, or even replace it with a malicious or vulnerable version.

boothole-attack.png

Making matters worse, Eclypsium says that a BootHole attack also works even when servers or workstations have Secure Boot enabled.

Secure Boot is a process where the server/computer uses cryptographic checks to make sure the boot process loads only cryptographically signed firmware components.

BootHole attack work even with Secure Boot enabled because, for some devices or OS setups, the Secure Boot process doesn't cryptographically verify the grub.cfg file, allowing attackers to tamper with its content.

boothole-secure-boot.png

Some limitations to this attack also exist. Eclypsium says that the attacker needs admin access in order to tamper with the grub.cfg file. This looks like a limitation, but in reality, it is not. Operating systems and their components are littered with "elevation of privilege" bugs that could be exploited as part of a BootHole attack chain to let malware gain admin access and modify grub.cfg.

Furthermore, the Secure Boot process was specifically created to prevent even high-privileged admin accounts from compromising the boot process, meaning that BootHole is a major security hole in one of the IT ecosystem's most secure operations.

Patches coming later today

For the past months, Eclypsium says it's been notifying the entire hardware and software ecosystem about BootHole (CVE-2020-10713).

The company estimates that every Linux distribution is impacted by this vulnerability, as all use GRUB2 bootloaders that read commands from an external grub.cfg file.

"To date, more than 80 shims are known to be affected," Eclypsium said. Shims are components that allow vendor/OEM-specific firmware code to interact with GRUB2.

"In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue," the research team added, speaking about GRUB2's possible impact on other operating systems that use GRUB2 in a Secure Boot process.

"As a result, we believe that the majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities."

Eclypsium says that starting today and for the coming days and weeks, all sorts of IT companies are expected to release patches to address BootHole in their products.

The security vendor said it expected security alerts and patches from:

  • Microsoft
  • UEFI Security Response Team (USRT)
  • Oracle
  • Red Hat (Fedora and RHEL)
  • Canonical (Ubuntu)
  • SuSE (SLES and openSUSE)
  • Debian
  • Citrix
  • HP
  • VMware
  • OEMs
  • Software vendors, including security software

Eclypsium said it expects patching to take a long while, as fixing bootloader bugs is usually a complex process due to the multitude of components and advanced cryptography involved in the process. Anyway, look for CVE-2020-10713 patches in future changelogs.