Language Selection

English French German Italian Portuguese Spanish

Security: GRUB, Thycotic, and 'Spectre'

Filed under
Security
  • Ubuntu Blog: GRUB2 Secure Boot Bypass 2021

    In August 2020, a set of security vulnerabilities in GRUB2 (the GRand Unified Bootloader version 2) collectively known as BootHole were disclosed. Today, another set of vulnerabilities in GRUB2 were disclosed, with similar implications. Because GRUB2 is a key component of the boot process, vulnerabilities in it can permit attackers to violate the integrity promises of UEFI Secure Boot. In this blog post we will discuss these vulnerabilities as well as the changes that have been made to Ubuntu to both mitigate them, and to make the update process easier for any future similar scenarios.

    As discussed back in August 2020, the UEFI Secure Boot process in Ubuntu is supported by a number of different components, all working together to ensure that only trusted bootloaders and operating systems are able to run. These consist of the UEFI platform firmware (aka UEFI BIOS), shim, the GRUB2 bootloader and the Linux kernel. The latter 3 of these are Ubuntu components, while the former is provided by the device OEM. In this case, both shim and GRUB2 have (or will soon receive updates) to mitigate these vulnerabilities and to help ensure older vulnerable versions of GRUB2 are not trusted by the secure boot process and cannot be used to load malicious code.

    [...]

    To ensure a unified approach, the version of GRUB2 for UEFI systems used in older Ubuntu releases is updated so that a single GRUB2 version can be used for all – this ensures that both the latest security fixes and mitigation features can be more easily adopted in these older releases. As this has the potential to cause issues in what is a fundamental component of the boot process (due to the large number of changes in both GRUB2 itself as well as the way this is distributed in Ubuntu), this update will be carefully rolled out via the Updates pocket of the Ubuntu package archive.

    Because Secure Boot does not apply to BIOS based boot environments, we will not be publishing updates for GRUB2 on those systems.

  • Multiple New Security Issues Hit GRUB Bootloader Around Secure Boot

    A new set of GRUB2 security vulnerabilities were made public today affecting its UEFI Secure Boot support. A set of eight CVEs were issued in 2020 and this year for the new issues. The issues include the possibility of specially crafted ACPI tables being loaded even if Secure Boot is active, memory corruption in GRUB's menu rendering, use-after-free in rmmod functionality, the cutmem command allowing privileged users to disable certain memory regions and in turn Secure Boot protections, arbitrary code execution even if Secure Boot is enabled, GRUB 2.05 accidentally re-introducing one of last year's vulnerabilities, and memory corruption from crafted USB device descriptors that could lead to arbitrary code execution.

  • Thycotic Announces Endpoint Privilege Management Solution for Unix/Linux

    Thycotic, provider of privileged access management (PAM) solutions for more than 12,500 organizations worldwide, including 25 of the Fortune 100, announced new privilege management capabilities for workstations running Unix and Linux. The latest release of Thycotic’s Privilege Manager solution includes a Sudo plugin that saves Unix/Linux administrators time, while still providing granular control over privileged activities.

    According to the Verizon 2020 Data Breach Investigations Report, eighty percent of breaches involve compromised credentials, making them one of the most common entry points for threats. Unix and Linux endpoints are typically the most valuable targets because they rely on “root” accounts, which provide unrestricted access to all commands, files, directories, and resources.

  • Spectre returns as exploits for Windows and Linux devices found

    Remember Spectre, the infamous vulnerability that had all major chip manufacturers scrambling for a fix? Three years after its initial emergence, two new working exploits have been identified.

    According to a report from Bleeping Computer, security researcher Julien Voisin has discovered a pair of exploits targeting unpatched Linux and Windows systems, on the VirusTotal platform. VirusTotal gathers all antivirus scans in one place and checks for potential malware missed by different solutions, and these exploits were uploaded a month ago.

Microsoft is serving malware again

  • Malicious ‘Dependency Confusion’ packages are stealing password files [Ed: Microsoft is serving malware again but Microsoft partners don't name Microsoft]

    Hackers created packages using names similar to ones found in a legitimate organization’s internal repositories. In public repositories, such internal names can be found referenced in public code repositories, such as GitHub, in source code files.

SUSE on GRUB

  • SUSE addresses another grub2 UEFI secure boot security exposure

    Various security researchers and the grub2 team have published more security issues in grub2 today, which can be used to bypass the UEFI secure boot chain.

    These security issues have the same scope as the BootHole issues from 2020. This attack requires root access to the bootloader used in Linux operating systems, GRUB2. It bypasses normal Secure Boot protections to persistently install malicious code which cannot be detected by the operating system.

Microsoft boosters

  • GRUB2 boot loader reveals multiple high severity vulnerabilities [Ed: Microsoft interjected fake (non) security into Linux and is now boasting and celebrating the dire consequences in its loyal propaganda sites]

    GRUB, a popular boot loader used by Unix-based operating systems has fixed multiple high severity vulnerabilities.

    In 2020, BleepingComputer had reported on the BootHole vulnerability in GRUB2 that could have let attackers compromise an operating system's booting process even if the Secure Boot verification mechanism was active.

    Threat actors could further abuse the flaw to hide arbitrary code ("bootkit") within the OS that would run on every boot.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

KDE Frameworks 5.81 Released with KHamburgerMenu, Various Improvements

The biggest new feature in the KDE Frameworks 5.81 release is the implementation of a new, custom hamburger menu called KHamburgerMenu, which will be shown on QWidgets-based apps whenever the main menubar is hidden. The KDE Project plans to adopt the KHamburgerMenu for all KDE apps as it offers several advantages, including an alternative app menu in case you hide the default menubar by accident, more freedom when you want to take full advantage of the maximum vertical space, more compact design with only relevant menu items, as well as support for relocating, renaming, removing, or even changing its icon. Read more

today's leftovers

  • Radeon Vulkan Driver Adds Option Of Rendering Less For ~30% Greater Performance - Phoronix

    If your current Vulkan-based Radeon Linux gaming performance isn't cutting it and a new GPU is out of your budget or you have been unable to find a desired GPU upgrade in stock, the Mesa RADV driver has added an option likely of interest to you... Well, at least moving forward with this feature being limited to RDNA2 GPUs for now. RADV as Mesa's Radeon Vulkan driver has added an option to allow Variable Rate Shading (VRS) via an environment variable override. This RADV addition is inspired by the likes of NVIDIA DLSS for trading rendering quality for better performance but in its current form is a "baby step" before being comparable to DLSS quality and functionality.

  • Bas Nieuwenhuizen: A First Foray into Rendering Less

    In RADV we just added an option to speed up rendering by rendering less pixels. These kinds of techniques have become more common over the past decade with techniques such as checkerboarding, TAA based upscaling and recently DLSS. Fundamentally all they do is trading off rendering quality for rendering cost and many of them include some amount of postprocessing to try to change the curve of that tradeoff. Most notably DLSS has been widly successful at that to the point many people claim it is barely a quality regression. Of course increasing GPU performance by up to 50% or so with barely any quality regression seems like must have and I think it would be pretty cool if we could have the same improvements on Linux. I think it has the potential to be a game changer, making games playable on APUs or playing with really high resolution or framerates on desktops. [...] VRS is by far the easiest thing to make work in almost all games. Most alternatives like checkerboarding, TAA and DLSS need modified render target size, significant shader fixups, or even a proprietary integration with games. Making changes that deeply is getting more complicated the more advanced the game is. If we want to reduce render resolution (which would be a key thing in e.g. checkerboarding or DLSS) it is very hard to confidently tie all resolution dependent things together. For example a big cost for some modern games is raytracing, but the information flow to the main render targets can be very hard to track automatically and hence such a thing would require a lot of investigation or a bunch of per game customizations.

  • Dota 2 version 7.29 is out with the new Dawnbreaker melee hero

    Valve has put out a major upgrade for their popular free to play MOBA with Dota 2 getting Dawnbreaker. This brand new hero is focused on melee, with a low-skill entry level so it should be suitable for a lot of players. You can see a dedicated hero page for Dawnbreaker here. "Dawnbreaker shines in the heart of battle, happily crushing enemies with her celestial hammer and healing nearby allies. She revels in hurling her hammer through multiple foes and then converging with it in a blazing wake, always waiting to tap her true cosmic power to fly to the aid of her teammates — eager to rout her enemies on the battlefield no matter where they are."

  • Grape times ahead with the release of Wine 6.6 noting plenty of fixes

    No wine-ing about the puns please. Jokes aside, the tasty compatibility tech that is Wine has a new development release available today with Wine 6.6. For newer readers and Linux users here's a refresher - Wine is a compatibility layer built for operating systems like Linux, macOS and BSD. The idea is to allow other platforms to run games and applications only built and supported for Windows. It's also part of what makes up Steam Play Proton. Once a year or so, a new stable release is made.

  • Friday’s Fedora Facts: 2021-14

    Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)! The Final freeze is underway. The F34 Final Go/No-Go meeting is Thursday. I have weekly office hours on Wednesdays in the morning and afternoon (US/Eastern time) in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else. See the upcoming meetings for more information.

  • A developer goes to the Masters: Day 1 inside the digital ops center [Ed: IBM is OK with the word "Master" again, contrary to spin]
  • Rancher Platform Partner, Weka delivers Stateful Storage for Containers at Scale

    Containers rose to the mainstream primarily due to workload portability and immutability advantages. Kubernetes became the primary orchestration tool and was initially supporting stateless applications, commonly referred to as the cattle vs. pets approach. However, data-centric applications need stateful-ness while still leveraging the cattle vs. pet approach. Microservices, Containers, and Kubernetes are now moving mainstream as increasingly more stateful applications are adopting them.

  • SUSE for your agile data platform, featuring Microsoft SQL Server[Ed: SUSE is just a worthless proprietary software reseller for SAP and Microsoft (their salesperson from SAP signing anti-RMS petition makes perfect sense and proves us correct about SUSE's motivations)]
  • What's the point of open source without contributors? Turns out, there are several [Ed: Mac Asay isn't even using it himself, just lecturing others what to do while working for Jeff Bezos]
  • Am I FLoCed? A New Site to Test Google's Invasive Experiment

    FLoC is a terrible idea that should not be implemented. Google’s experimentation with FLoC is also deeply flawed . We hope that this site raises awareness about where the future of Chrome seems to be heading, and why it shouldn't.

    FLoC takes most of your browsing history in Chrome, and analyzes it to assign you to a category or “cohort.” This identification is then sent to any website you visit that requests it, in essence telling them what kind of person Google thinks you are. For the time being, this ID changes every week, hence leaking new information about you as your browsing habits change. You can read a more detailed explanation here .

    Because this ID changes, you will want to visit https://amifloced.org often to see those changes.

  • The Brave browser basics: what it does, how it differs from rivals

    Boutique browsers try to scratch out a living by finding a niche underserved by the usual suspects. Brave is one of those browsers.

    Brave has gotten more attention than most alternate browsers, partly because a co-founder was one of those who kick-started Mozilla's Firefox, partly because of its very unusual — some say parasitical — business model.

Devices/Embedded Hardware

  • 3.5-inch SBC features Comet Lake-S

    Aaeon’s 3.5-inch Linux-ready “GENE-CML5” SBC supplies an up to octa-core 10th Gen Core CPU plus up to 64GB DDR4, 2x SATA, 2x GbE, 2x USB 3.2 Gen2, DP, VGA, M.2 M-key, and PCIe x4. Aaeon has posted a preliminary product page for what appears to be the first 3.5-inch SBC built around Intel’s 10th Gen Comet Lake-S. In fact, this is one of the first Comet Lake SBCs of any kind, following a few early entries like Portwell’s WADE-8212 Mini-ITX board.

  • Play your retro console on a modern TV
  • Olimex RP2040-PICO-PC “computer” to feature RP2040-Py Raspberry Pi Pico compatible module

    We previously wrote it was possible to create a Raspberry Pi RP2040 board with HDMI using DVI and programmable IOs to output video up to 640×480 at 60 Hz with the microcontroller’s Cortex-M0+ cores clocked at 252 MHz. At the time, we also noted Olimex was working on such a board with RP2040-PICO-PC designed to create a small Raspberry Pi RP2040 computer with HDMI/DVI video output. The Bulgarian company has now manufactured the first prototype, but due to supply issues with the Raspberry Pi Pico board, they also designed their own RP2040-PICO module since they’ve got a reel of Raspberry Pi RP2040 microcontrollers.

  • Our most complex Open Source Hardware board made with KiCad – the octa core iMX8 Quad Max – Tukhla is completely routed and now on prototype production

    We started this project June-July 2020. Due to the Covid19 the development took 10 months although only 6 month of active work was done, due to lock downs, ill developers and so on troubles.

    Now the board is completely routed and has these features: [...]

Programming Leftovers

  • Open Source Software Leader the Eclipse Foundation Launches the Adoptium Working Group for Multi-Vendor Delivery of Java Runtimes for Enterprises
  • AWS's Shane Miller to head the newly created Rust Foundation

    Miller, who leads the Rust Platform team for AWS, has been a software engineer for almost 30 years. At AWS, Miller has been a leader in open-source strategic initiatives and software engineering and delivery. Miller's Rust Platform team includes Rust language and compiler maintainers and contributors and developers on the Tokio runtime for writing reliable asynchronous applications with Rust. Under Miller's leadership, the AWS Rust team is crafting optimizations and tools for the features that engineers will use to build and operate services which take full advantage of Rust's performance and safety.

  • Inkscape compiled in OpenEmbedded

    Cross-compiling can be a challenge with some packages, and some of the big ones, such as SeaMonkey, LibreOffice and Inkscape, I have compiled in a running EasyOS (with the "devx" SFS loaded). I have previously compiled LibreOffice in OE, see the Pyro series. But it was a lot of work.

  • Felix Häcker: New Shortwave release

    Ten months later, after 14.330 added and 8.634 deleted lines, Shortwave 2.0 is available! It sports new features, and comes with the well known improvements, and bugfixes as always. [...] Shortwave has always been designed to handle any screen size from the beginning. In version 2.0 we have been able to improve this even further. There is now a compact mini player for desktop screens. This still offers access to the most important functions in a tiny window.

  • 5 signs you're a groff programmer

    I first discovered Unix systems in the early 1990s, when I was an undergraduate at university. I liked it so much that I replaced the MS-DOS system on my home computer with the Linux operating system. One thing that Linux didn't have in the early to mid-1990s was a word processor. A standard office application on other desktop operating systems, a word processor lets you edit text easily. I often used a word processor on DOS to write my papers for class. I wouldn't find a Linux-native word processor until the late 1990s. Until then, word processing was one of the rare reasons I maintained dual-boot on my first computer, so I could occasionally boot back into DOS to write papers. Then I discovered that Linux provided kind of a word processor. GNU troff, better known as groff, is a modern implementation of a classic text processing system called troff, short for "typesetter roff," which is an improved version of the nroff system. And nroff was meant to be a new implementation of the original roff (which stood for "run off," as in to "run off" a document).