Language Selection

English French German Italian Portuguese Spanish

Mitigating BootHole – ‘There’s a hole in the boot’ – CVE-2020-10713 and related vulnerabilities

Filed under
Security
Ubuntu

In this blog post, we will explain more about the vulnerabilities and a behind-the-scenes look about how they were fixed in a coordinated manner across the entire open source ecosystem. To discover the in-depth details of the CVEs and the updated packages which fix the associated vulnerabilities, please visit our Ubuntu Security Knowledge Base article.

To understand the scope of this vulnerability we have to examine the boot process from Secure Boot to Grub. UEFI Secure Boot is designed to ensure that only trusted code is loaded during the boot process. As such, these vulnerabilities could have potentially allowed an attacker to compromise the boot process of the machine, and subvert it for malicious purposes. GRUB2 is used as the bootloader for Ubuntu and many other Linux distributions on both installed systems and installation media. In addition, these vulnerabilities have been present in GRUB2 for quite a long time. In other words, there are a large number of Linux releases and installed instances that could be vulnerable. A high profile vulnerability with such a widespread presence presents a significant challenge to protecting systems and users. For example, how to ensure that security updates can be delivered in a timely manner to both patch the vulnerability on as many existing systems as possible, but to also ensure that any old, vulnerable Linux install media cannot be used in the future to attack existing systems. This requires a coordinated approach across the community of Linux distributions, and also the wider UEFI community including Microsoft and others.

Read more

Also: New Security Hole Puts Windows and Linux Users at Risk

BootHole GRUB2 Bootloader Security Exploit Discovered, Affects Billions Of Windows And Linux Devices

‘BootHole’ Secure Boot Threat Found In Most Every Linux Distro, Windows 8 And 10

Linux distros fix new Boothole bug

  • Linux distros fix new Boothole bug

    Secure boot, despite the name, isn't as secure as we'd like. Security company Eclypsium discovered a security hole in GRUB2: Boothole. Linux users know GRUB2 as one of the most commonly used bootloaders. As such, this security problem makes any machine potentially vulnerable to a possible attack -- the keyword is "potentially."

What's visible so far

  • Billions of Devices Impacted by Secure Boot Bypass

    The “BootHole” bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT ,IoT and home networks.

    Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning.

    GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel.

  • BootHole GRUB2 Bootloader Security Exploit Discovered, Affects Billions Of Windows And Linux Devices

    A buffer overflow occurs when more data is pushed into a buffer than it can handle. This data still needs a place to go and it therefore often overflows into nearby memory spaces. This “overflow” can corrupt or overwrite the data that was originally in the memory space. Attackers can then abuse this situation to run arbitrary code and cause major problems with a device.

    Secure Boot processes are typically walled off from administrative level users. However, in this scenario, the bootloader parses a configuration file located in the EFI system partition. As a result, any user with administrator access can modify grub.cfg. Furthermore, the configuration file is typically implemented as an unsigned text file. Any changes to the configuration file therefore go unchecked.
    In the example provided by the researchers, Eclypsium found they could use the modified configuration file to pass a token too large for flex’s parse buffer. It called the function “YY_FATAL_ERROR()”. This threw an error code, but did not halt the execution. Flex never checks for YY_FATAL_ERROR() to return, so it continued to call and copy a token that was too large for the buffer. According to the researchers, this issue “overwrites critical structures in the heap.”

  • New Security Hole Puts Windows and Linux Users at Risk

    If you are a Windows or Linux user, brace yourself for a long siege of vulnerability nightmares. The fix will be long and treacherous and could brick your computers.

    Eclypsium researchers Wednesday released details of a set of newly discovered vulnerabilities dubbed "BootHole" that opens up billions of Windows and Linux devices to attacks.

  • 'BootHole' attack impacts Windows and Linux systems using GRUB2 and Secure Boot
  • ‘BootHole’ Secure Boot Threat Found In Most Every Linux Distro, Windows 8 And 10

    A high-rated security vulnerability in the Secure Boot function of the majority of laptops, desktops, workstations and servers has been confirmed. Here’s what you need to know about BootHole.

    Security researchers at Eclypsium discovered a vulnerability that affects the bootloader used by 'virtually every' Linux system, and almost every Windows device using Secure Boot with Microsoft's standard Unified Extensible Firmware Interface (UEFI) certificate authority.

  • Linux distros fix new Boothole bug

    Secure boot, despite the name, isn't as secure as we'd like. Security company Eclypsium discovered a security hole in GRUB2: Boothole. Linux users know GRUB2 as one of the most commonly used bootloaders. As such, this security problem makes any machine potentially vulnerable to a possible attack -- the keyword is "potentially."

    BootHole enables hackers to insert and execute malicious code during the boot-loading process. Once planted there, the nasty bootkit payload can allow attackers to plant code that later take over the operating system. Fortunately, Linux distro developers were warned of this problem, and most of them have already issued patches.

  • A long list of GRUB2 secure-boot holes

    Several vulnerabilities have been disclosed in the GRUB2 bootloader; they enable the circumvention of the UEFI secure boot mechanism and the persistent installation of hostile software. Fixing the problem is not just a matter of getting a new GRUB2 installation, unfortunately. "It is important to note that updating the exploitable binaries does not in fact mitigate the CVE, since an attacker could bring an old, exploitable, signed copy of a grub binary onto a system with whatever kernel they wished to load. In order to mitigate, the UEFI Revocation List (dbx) must be updated on a system. Once the UEFI Revocation List is updated on a system, it will no longer boot binaries that pre-date these fixes. This includes old install media."

  • Mitigating BootHole – ‘There’s a hole in the boot’ – CVE-2020-10713 and related vulnerabilities

    Today we released updates for a series of vulnerabilities termed ‘There’s a hole in the boot’ / BootHole in GRUB2 (GRand Unified Bootloader version 2) that could allow an attacker to subvert UEFI Secure Boot. The original vulnerability, CVE-2020-10713, which is a high priority vulnerability was alerted to Canonical in April 2020. Since then seven related vulnerabilities have been discovered by Canonical and we have worked with the wider open source community and Microsoft to provide the mitigations which have been released today for Ubuntu and other major Linux distributions.

    In this blog post, we will explain more about the vulnerabilities and a behind-the-scenes look about how they were fixed in a coordinated manner across the entire open source ecosystem. To discover the in-depth details of the CVEs and the updated packages which fix the associated vulnerabilities, please visit our Ubuntu Security Knowledge Base article.

  • Flaw in GRUB 2 Boot Loader Threatens Many Linux Systems

    There is a newly discovered vulnerability in a widely deployed boot loader that is included in most Linux distributions that could give an attacker access to the earliest portions of a computer’s start-up process and eventually complete control of the system. The flaw in the GRUB 2 boot loader can also affect other systems that uses UEFI Secure Boot, including Windows computers, under some specific conditions.

    The vulnerability (CVE-2020-10713) potentially affects hundreds of millions of devices, including embedded systems, network devices, IoT devices, as well as servers, desktops, and laptops. The flaw is a buffer overflow in the GRUB 2 bootloader, and though an exploit against it could grant complete control over the target system, the attacker would need privileged access to the machine in order to exploit the vulnerability. Researchers at Eclypsium discovered the bug in April and have been collaborating with dozens of affected vendors and project teams, including Microsoft and various Linux distributions. Although fixes will be rolling out beginning today, it could be several months before most affected devices are patched, thanks to the complexity of the Secure Boot process and the difficulty of getting the fix to some of the devices.

  • BootHole Blows Hole In GRUB2 Bootloader Security, Including UEFI SecureBoot

    A major vulnerability in the GRUB2 boot-loader has been made public today that compromises its UEFI SecureBoot capabilities.

    This vulnerability dubbed "BootHole" can allow for malicious code to be inserted into the system at early boot time via GRUB and can even be exploited on UEFI SecureBoot enabled systems.

  • BootHole and Seven Other Vulnerabilities Patched in GRUB2, Update Your Distros Now

    Developers from several popular GNU/Linux distributions coordinated the release of updates for the GRUB2 bootloader, which is used in almost all distros to allow users to patch their systems against no less than eight security vulnerabilities, the most serious of them all being dubbed as BootHole (CVE-2020-10713) and discovered by Jesse Michael and Mickey Shkatov from Eclypsium.

    Canonical reports today that they’ve been aware of the BootHole vulnerability since April 2020, and they worked with many developers from other well known Linux distributions, such as Debian, as well as developers from Microsoft to mitigate the security issue and release updates for users.

    But before releasing updates for the GRUB2 bootloader to address the BootHole vulnerability, Canonical’s security team decided to look for other possible vulnerabilities and it turns out they discovered seven more, including CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, and CVE-2020-15707.

SUSE addresses BootHole security exposure

  • SUSE addresses BootHole security exposure

    Security researchers from Eclypsium have published an attack called BootHole today. This attack requires root access to the bootloader used in Linux operating systems, GRUB2. It bypasses normal Secure Boot protections to persistently install malicious code which cannot be detected by the operating system.

    Given the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center and personal device scenarios, unless these systems are already compromised by another known attack. However, it does create an exposure when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode. These are scenarios which Secure Boot was intended to protect against.

    SUSE has released fixed grub2 packages which close the BootHole vulnerability for all SUSE Linux products, and is releasing corresponding Linux kernel packages, cloud image and installation media updates. Please follow the normal update procedure to install them. Should you be unsure about your company’s procedure, please consult your local system administrator.

Vulnerability found in GRUB2 bootloader, nicknamed ‘BootHole’

  • Vulnerability found in GRUB2 bootloader, nicknamed ‘BootHole’, comproming Secure Boot

    Users of the popular bootloader may want to update their systems in order to mitigate the danger of this new exploit.

    It’s been revealed that a series of bugs in GRUB2 compromises the chain of trust in a Secure Boot-enabled system. You can read about the full scope of the exploit here but the short of it is that arbitrary code can be executed by an attacker on virtually any system running GRUB2 and using Secure Boot. The attack allows modification of GRUB2’s configuration file and allows for privilege escalation which could potentially mean that intrusions can go undetected by booted operating systems.

    Now, most of the risk comes from an attacker already having some level of privileges but this is still something that should give system administrators some pause. And while Windows systems are theoretically vulnerable as well, it’s far likelier that systems affected in the wild will be running Linux.

    Researchers from Eclypsium were responsible for identifying this vulnerability and have responsibly disclosed the bug to maintainers and the wider ecosystem. Expect package updates in your distro sometime soon. Even then, updates aren’t a complete solution as the keys that Secure Boot rely upon also have to be updated and older ones blacklisted. The Debian project have a good overview of what should be done and I expect that other distributions will follow suit with their own advice on how to deal with this exploit.

New BootHole flaw in Secure Boot affects a huge number of Linux

  • New BootHole flaw in Secure Boot affects a huge number of Linux and Windows systems

    A new vulnerability has been discovered in Secure Boot that affects most Linux distributions and Windows devices that use the UEFI specification during boot. The vulnerability, called BootHole, was found by an enterprise security research firm, Eclypsium (spotted by Tom’sHardware). The flaw is specifically present in the GRUB2 file in Secure Boot and can be used by attackers to attain “near-total control” of the victim’s system.

    The firm says that the problem “extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority”, therefore putting a huge number of Windows desktops, laptops, workstations, servers, and other special-purpose equipment that use the technology are affected.

    [...]

    The research firm believes that full mitigation of BootHole will require “coordinated efforts from a variety of entities” and that it expects deployment to be slow. For now, the recommendations for organizations include monitoring UEFI bootloaders and firmware, verifying UEFI configurations, testing recovery capabilities, and more.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.