GRUB2, one of the world’s most widely used computer startup programs, has a vulnerability that could make it easier for attackers to run malicious firmware during startup, researchers said on Wednesday. This affects millions or possibly hundreds of millions of machines. While GRUB2 is mainly used in Linux-powered computers, vulnerability-exploiting attacks can be carried out on many Windows-powered PCs as well.
The vulnerability, discovered by researchers from security firm Eclypsium, poses another serious threat to UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that the software used during startup is trusted by the manufacturer. computer. Secure Boot was designed to prevent attackers from surfing the boot process by replacing the intended software with malicious software.
Stealthier, stronger, and harder to disinfect
So-called bootkits are among the most serious types of infections because they run at the lowest level of the software stack. This allows the malware to be stronger than most malware, survive operating system reinstallations and avoid security protections embedded in the OS.
Boot Hole, as the researchers mentioned the vulnerability, results from a buffer overflow in the way that GRUB2 parses text into grub.cfg, the main loader configuration file. By adding long text strings to the file, attackers can fill up the memory space allocated to the file and cause malicious code to spread to other parts of the memory, where it is then executed.
The configuration file is not digitally signed, so Boot Secure does not detect when it has been maliciously changed. GRUB2 also does not use randomization of address space distribution, data execution prevention, and other anti-exploitation protections that are standard in operating systems. These omissions make it trivial for attackers who already have feet on the computer aimed at exploiting the flaw. From there, they can completely surpass protection that many people expect to prevent bootkits from holding.
In addition to the Eclypsium report, Debian gives a solid overview here.
But there are some big catches
The severity of the vulnerability, however, is offset by a few things. First, the attacker must have either administrative rights on the computer or physical access to the machine. Administrator-level control is increasingly difficult to achieve on a modern OS due to the great advances they have made in blocking exploitation. Physical access may be easier when crossing the border or similar moments when a user briefly loses physical possession of a computer. But the requirement is steep in most other scenarios, making it unlikely that many users will be affected. In addition, physical possession greatly restricts the scalability of attacks.
Two other factors that make Boot Hole less awesome: attackers who already have administrative or physical control of a computer already have many other ways to infect it with advanced and powerful malware. In addition, there are many other known techniques for bypassing Secure Boot.
“I argue that Secure Boot is not the cornerstone of PC security today, because it is rarely effective, and by their [Eclypsium’s] Own request, it’s easy to put it aside for more than a year now, with no long-term solution in sight, ”told me HD Moore, vice president of research and development at Atredis Partners and an expert in software exploitation . “I̵7;m not sure what the buffer overflow in GRUB2 would be useful for, as there are other problems if grub.cfg is not yet signed. “It can be useful as a malware carrier, but even then, there’s no reason to exploit buffer overflow when a dedicated grub.cfg file can be used instead to load the actual OS load.”
Other researchers seem to agree with the assessment. CVE-2020-10713, as the vulnerability is pursued, has a severity rating of “Moderate.”
The Eklypsium claim he referred to involves a February revocation of bootloader security company Kaspersky Lab used for a rescue disk to boot disabled computers. The revocation caused so many problems that Microsoft, which oversees the validation process, reversed the change. The repeal underscores not only the difficulty in linking flaws like Boot Hole (more on that later) but also the fact that it is already possible to avoid Boot Secure.
Not fearing doesn’t mean it’s not serious
Exploitation barriers and limitations do not mean that vulnerability is not to be taken seriously. Secure Boot was created precisely for the scenario needed to tap Boot Hole. The risk is exacerbated by the number of computer and software makers affected. Eclypsium has a more complete list of those affected. They are:
- The Unified Extensible Firmware Interface Forum
- Red Hat (Fedora and RHEL)
- Canonical (Ubuntu)
- SUSE (SLES and openSUSE)
- Various computer manufacturers
- Software vendors, including security software
Another serious consideration is the challenge of preparing updates that will not stop a machine from starting permanently, a phenomenon often called “bricking.” As the Kaspersky incident shows, the risk is real and could have bad consequences.
Fixing the mess is itself a mess
The solutions involve a multi-stage process that will not be trivial or, in many cases, fast. First, GRUB2 needs to be updated to address the vulnerability and then distributed to manufacturers or administrators of large organizations. Engineers will have to thoroughly test the upgrade on each computer model they support to ensure the machine does not brick. Updates must be fixed for machines that do them. Only then will the update be ready to install in general.
Even then, it will be trivial for attackers with the privileges described above to return GRUB2 to its vulnerable version and exploit the buffer overflow. Although Windows machines typically do not have GRUB2 installed, privileged attackers can usually install it. To close this loophole, computer manufacturers will have to revoke cryptographic signatures validating the old version or the “shim” firmware that loads the old version.
This step also comes at the risk of bricking machines. If signatures are revoked before the GRUB2 version is installed – or in the case of Windows machines, signatures for other boot components – before abundant testing, millions of computers are also at risk of be bricked.
To prevent this possibility, Microsoft, Red Hat, Canonical, and others who make OS and hardware are generally offering two-step solutions. First, the GRUB2 update will be released and only after it has been tested and deemed safe to install. Then, after a period of months, the signatures are revoked. Only after the second step is completed should the vulnerability be recovered.
Microsoft, which operates the certification authority that certifies UEFI signatures that are duly authorized by manufacturers, has issued the following statement:
We are aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Boot Secure is configured to trust the Microsoft UEFI CA. We are working to complete the validation and compatibility testing of the required Windows Update package.
A spokesman for Microsoft said the company provides IT administrators in urgent need with the “mitigation option to install an untested update. At an unspecified time, the spokesman said, Microsoft will release a solution for general availability. Microsoft has released a knowledge base article here.
Consultations from other affected companies are too numerous to provide in the initial version of this article. For now, readers should check the websites of the affected companies. This post will be updated later to provide links.
For now, there is no reason to panic. The stagnant requirements for exploitation make the severity of this vulnerability moderate. And as I already mentioned, Secure Boot is already vulnerable to other bypass techniques. This is not to say that there is no reason to take this vulnerability seriously. Patch as soon as possible, but only after careful testing, either by experienced users or by OS makers and software makers. Meanwhile, you lose no sleep.