The secure pocket, despite the name, is not as secure as we would like. Eclypsium security company has discovered a security hole in GRUB2: Boothole. Linux users know GRUB2 as one of the most commonly used bootloaders. As such, this security problem makes any machine potentially vulnerable to a possible attack – the keyword is “potentially.”
BootHole allows hackers to enter and execute malicious code during the boot load process. Once planted there, the nasty load of the bootkit can allow attackers to plant code that will later take over the operating system. Fortunately, Linux distro developers have been warned about this problem, and many of them have already released patches.
In addition, to use BootHole, a hacker must edit the grub.cfg, the GRUB2 configuration file. Therefore, to successfully attack a Linux system, an attacker must already have root-level access to the target system. Practically speaking, such a hacker has already compromised the system. With this access, attackers can modify the grub.cfg values to create a buffer overflow, which can then be used to enter a malware load.
While Eclypsium found the initial problem of GRUB2, Linux developers found another problem to hide in GRUB2. Joe McManus, director of security engineering at Canonical, said:
Thanks to Eclypsium, we at Canonical, along with the rest of the open-source community, have updated GRUB2 to defend this vulnerability. During this process, we identified seven additional vulnerabilities in GRUB2, which will also be fixed in the updates released today. The attack itself is not a remote exploitation and requires the attacker to have root privileges. With this in mind, we do not see it as a popular vulnerability used in the wild. However, this effort sets a true example in the spirit of a community that makes open source software so secure. ”;
Red Hat is also on the case. Peter Allor, director of Red Hat Security products, said:
“Red Hat is aware of a defect (CVE-2020-10713) in GRUB 2. Product Safety has conducted a thorough analysis and understands not only how this defect affects Red Hat products, but most importantly how this touches the Linux core.Our PSIRT has been working closely with engineering, cross-functional teams, the Linux community as well as our industry partners to deliver currently available updates for affected Red Hat products, including Red Hat Enterprise Linux. “
Marcus Meissner, head of the SUSE Security Team, points out that, while the problem is serious and requires a mix, it’s not so bad. He observed:
“Due to the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center and personal device scenarios, unless these systems are already compromised by another known attack.However, this creates exposure when untrusted users can access a machine, eg bad players in classified computer scenarios or computers in public spaces operating in cosplay mode.
So, the moral of the story is that, while you have to root your Linux system, this security hole is really only a problem in a few limited situations.