A newly discovered serious vulnerability – dubbed “BootHole” – with a CVSS rating of 8.2 could unleash attacks that could gain total control of billions of Linux and Windows devices.
Security firm Eclypsium researchers released details today about how the flaw can take over nearly any device’s boot process. The majority of laptops, desktops, servers, and workstations are affected by the vulnerability, as well as network appliances and other special-purpose equipment used in industrial, healthcare, financial, and other industries.
The bug in question – CVE-2020-10713 – is found in the GRUB2 bootloader used by most Linux systems that can be used to gain arbitrary code execution during the boot process, even when Secure Boot is enabled.
“This will likely be a long process and take considerable time for organizations to complete patching,” Eclypsium said.
Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device. The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected, said Eclypsium, which has coordinated disclosure of this vulnerability with OS vendors, computer manufacturers, and CERTs.
The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority, thus threatening the majority of laptops, desktops, servers and workstations in potential attacks similar to the recently discovered malicious UEFI bootloaders. UEFI Secure Boot is the standard for PCs and servers.
Chris Hass, director of information security and research at Automox, called the scope of the vulnerability "massive" with not only "a mountain of Linux devices affected," but also Microsoft's most common default configuration "since Windows 8 enables Secure Boot, adding to the already staggering number of devices affected by this vulnerability."
BootHole lets attackers gain "full control over the affected system if this vulnerability is leveraged correctly," said Hass. "Based on the recent activity in the last month by a number of threat actors, it is imperative that organizations update their operating systems, installer images, and disaster recovery media as soon as possible.”
Haas urged potential victims to not waste any time patching.
The boot process is critical for the security of any computing, pointed out Eclypsium, adding that mitigation will require the specific vulnerable program to be signed and deployed, and vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack.
Ecypsium pointed out that recent malware attacks afflicted legacy OS bootloaders including APT41 Rockboot, LockBit, FIN1 Nemesis, MBR-ONI, Petya/NotPetya and Rovnix. Mitigation will require very active management of the dbx database used to identify malicious or vulnerable code.
Eclypsium’s researchers identified a buffer overflow vulnerability in how GRUB2 parses content from the GRUB2 config file (grub.cfg), a text file typically not signed like other files and executables. This vulnerability enables arbitrary code execution within GRUB2 and thus control over the booting of the operating system.