GRUB 2 bootloader is a popular bootloader widely used worldwide and once again a group of security researchers managed to find a new vulnerability in this bootloader system.
The details of this new vulnerability were disclosed today and it seems that this new vulnerability is a high-risk vulnerability that affects “many” of Windows, Linux, IOT devices, servers, workstation and laptops that uses the GRUB 2 bootloader system.
GRUB 2 bootloader vulnerability – Boothole
This new vulnerability is dubbed as boothole and has assigned CVE-2020-10713 number and it resides in the bootloader, if exploited by the attacker, it can allow the attacker to completely bypass the “Secure boot” feature and the attacker can gain administrator privileges’ as well as maintain persistence with ease.
What is the secure boot feature in GRUB 2 Bootloader?
The feature known as “Secure boot” is a feature that is a part of UEFI system which also stands for “Unified extensible firmware interface”, so nowadays even Windows systems has UEFI firmware installed and the job of this firmware is to load critical components, peripherals and operating system, while ensuring that only cryptographically signed code executes during the entire booting process.
However UEFI’s secure boot feature does more work behind the scenes, one exclusive capability of secure boot is to completely block the unauthorized code, even if that particular unauthorized code is run with the administrator privileges’.
This allows any attacker to gain more additional privilege and persistence and blocks the attacker completely from disabling the secure boot feature.
So how this new vulnerability allows attacker to bypass this entire “Secure boot” feature as whole?
Bootloader Vulnerability explained
As mentioned earlier in the article the new Vulnerability is dubbed as “Boothole” and it is a “Buffer overflow” vulnerability which was discovered by the cyber security researchers at Eclypsium.
This new vulnerability affects all the versions of GRUB 2 Bootloader and it exist in such a way that it parses the content from “configuration files” which means it is typically not signed or authorized in a way like the other files and executables.
This gives the attacker an opportunity to break the “Trust mechanism”..
Also, one thing we should remember that, the configuration file of GRUB 2 Bootloader resides inside UEFI system partition and thus to modify the file the attacker need basic foothold i.e he needs basic admin privileges on the system that he/she targeted and that would provide the attacker an additional escalated privilege and the persistence on the device.
In other words, this buffer overflow vulnerability allows the attacker to run arbitrary code on UEFI execution environment, which in return could be used to run the Malware, directly patch OS Kernel and the attacker can also alter the entire boot process and do other kinds of malicious things – Said the researchers at Eclypsium.
How Windows system can be exploited?
To exploit the windows system using the Boothole Vulnerability the attacker only need to replace the default bootloader with the Vulnerable GRUB 2 Bootloader version to install the “Rootkit Malware”, if the Microsoft’s Windows device or any Windows uses the “Secure boot” with third party UEFI certifications, then the system is vulnerable to “Boothole”.
It is to be noted that GRUB 2 Bootloader is a standard bootloader used by most Linux System. However, it can also support the other operating systems and Kernels.
According to the security researchers, the attacker can cause major consequences using this Boothole vulnerability because it allows the attacker to run malicious code even before the system boots.
This also makes difficult for any security software, utility to notice it and remove it.
Also the researchers even mentioned that UEFI doesn’t have ASLR and DEP.
- ASLR – Address space layout randomization
- DEP – Data execution prevention
UEFI environment also doesn’t have other exploit mitigation technologies that are usually found in the modern operating systems. So according to the researchers creating exploits for this type of systems is drastically easier.
GRUB 2 Bootloader is hard to fix
Although the cyber security researchers at Eclypsium has informed the concerned vendors and companies, but, still the exploit is quite hard to fix. Just installing the patches and fixing the vulnerability with upgraded GRUB 2 Bootloader is not going to solve the issue.
This is because the attacker is still capable of replacing the version of bootloader with the vulnerable one.
Researchers said that even mitigation will require the bootloaders to be signed and deployed and the license for the vulnerable bootloader version should be revoked so that attackers wouldn’t use the old version of the bootloader to replace the new one.
The following list of companies have released their concerned advisories please refer to them to fix the issue :-