GRUB2, one of the world’s most widely used computer boot programs, has a vulnerability that could make it easier for attackers to run malicious firmware on startup, investigators said on Wednesday. This would affect millions or perhaps hundreds of millions of machines. Although GRUB2 is primarily used on computers running Linux, vulnerabilities can also be exploited on many computers running Windows.
The vulnerability, discovered by security firm Eclypsium researchers, poses another serious threat to the industry-wide standard UEFI Secure Boot, which uses cryptographic signatures to ensure that the software used at startup is trusted by the computer manufacturer. Secure Boot was designed to prevent attackers from hijacking the boot process by replacing the default software with malware.
More secretive, more powerful and difficult to disinfect
So-called boot kits are among the most serious types of infections because they run at the lowest level of the software pile. This allows the malware to be more secretive than most malware, to survive a reinstall of the operating system, and to bypass OS-protected protections.
As the boot hole, as the researchers named the vulnerability, occurs due to buffer overflow in the way GRUB2 parses the text grub.cfg in the boot loader master configuration file. By inserting long lines of text into a file, attackers can overflow the memory allocated to the file and cause malicious code to other parts of the memory where it is then executed.
The configuration file is not digitally signed, so Secure Boot will not detect when it has been maliciously modified. GRUB2 also does not use random address space layout, data execution prevention, and other exploit protections that are standard on operating systems. Because of these negligence, attackers who already have a foothold at the computer have a negligible chance of exploiting the vulnerability. From there, they can completely bypass the protection that many expect to protect boot kits.
In addition to the Eclypsium report, Debian provides a comprehensive overview here.
But there are some major catches
However, the degree of vulnerability is offset by several things. First, an attacker must have either administrative rights to the computer or physical access to the computer. Administrator-level control is becoming increasingly difficult to gain in modern OS as they have made great strides in blocking exploitation. Physical access can be facilitated by crossing borders or similar moments when the user loses control of the computer for a short time. However, in many other scenarios, this requirement is high, making it unlikely to affect many consumers. In addition, physical possession greatly limits the scale of attacks.
The other two factors that make Boot Hole less terrible are: Attackers who already have administrative or physical control of your computer already have many other ways to infect your computer with advanced and stealthy malware. In addition, there are several other known ways to bypass a safe boot.
“I would argue that Secure Boot is not the foundation of computer security today because it is rarely effective [Eclypsium’s] According to himself, it was easy to get around for more than a year, even without noticing a long-term solution, ”said HD Moore, Atredis Partners vice president of research and development and software application expert. “I̵7;m not sure who benefits from buffer overflow GRUB2, because there are other problems without signing grub.cfg. “It can be useful as a malware vector, but even then there is no reason to exploit buffer overflow when a custom grub.cfg file can be used instead of the actual OS boot.”
Other researchers seem to agree with the assessment. CVE-2020-10713 is “Moderate” when the vulnerability is monitored.
Eclypsium’s Moore lawsuit alleges that Kaspersky Lab, a bootloader security company used to launch disabled computers on a rescue disk, was revoked in February. The revocation caused so many problems that Microsoft revoked the change to oversee the approval process. The revocation highlights not only the shortcomings of fixing the Boot Hole (more on this later), but also the fact that it is already possible to bypass Secure Boot.
Not scary doesn’t mean it’s not serious
Barriers and restrictions to exploitation do not mean that vulnerabilities should not be taken seriously. Secure Boot was created for exactly the script needed to take advantage of the Boot Hole. The risk is exacerbated by the number of computer and software vendors affected. Eclypsium has a more comprehensive list of victims. They are:
- Unified Advanced Software Interface Forum
- Red Hat (Fedora and RHEL)
- Canonical (Ubuntu)
- SuSE (SLES and openSUSE)
- Various computer manufacturers
- Software vendors, including security software
Another serious consideration is the challenge of pushing out updates that will not permanently interfere with the computer’s startup, a phenomenon often referred to as “brick-building.” As the Kaspersky incident shows, the risks are real and can have dire consequences.
Correcting a mess is a mess in itself
Corrections involve a multi-step process that will not be insignificant or in many cases rapid. GRUB2 must first be updated to remove the vulnerability and then distributed to manufacturers or administrators of large manufacturers. There, engineers will have to thoroughly test updates for each supported computer model to make sure the machine is not filling bricks. Updates will need to be fixed for machines that do this. Only then will the update be able to install normally.
Even then, attackers with the privileges described above will find it unrealistic to revert to GRUB2 to its vulnerable version and exploit buffer overflows. Although GRUN2 is not normally installed on Windows computers, it can usually be installed by privileged attackers. To fix this vulnerability, computer manufacturers will need to revoke cryptographic signatures that validate the old version or shim firmware that loads the old version.
This step also threatens the cutting of brick bricks. If signatures are revoked before installing GRUB2 or, in the case of Windows computers, signatures from other boot components are also at risk of brick cracking before extensive testing is performed.
To avoid this possibility, Microsoft, Red Hat, Canonical, and other OS and hardware manufacturers typically offer two-step fixes. The GRUB2 update will be released first and only after it has been tested and considered safe to install. Then, after a period that may last months, the signatures will be revoked. Only after the second step will the vulnerability be fixed.
Microsoft, which manages the certification body that certifies UEFI signatures duly authorized by manufacturers, has issued the following statement:
We are aware of a vulnerability in GRand Unified Boot Loader (GRUB), the most commonly used Linux. To exploit this vulnerability, an attacker would need to have administrator privileges or physical access on a system that is configured to use Secure Boot to trust the Microsoft UEFI CA. We are working to complete the validation and compatibility of the required Windows Update package.
A Microsoft spokesman said the company would provide IT administrators in urgent need with a “mitigation option” to install an untested update. The spokesman said Microsoft would release a general availability patch indefinitely. Here, Microsoft published a Knowledge Base article.
There is too much advice from other affected companies to provide in the original version of this article. In the meantime, readers should check the websites of the affected companies. This post will be updated later for links.
So far, there is no reason to panic. Due to strict exploitation requirements, the degree of this vulnerability is moderate. And as mentioned, Secure Boot is already vulnerable to other bypass methods. This is not to say that there is no reason to take this vulnerability seriously. Repair it as soon as possible, but only after thorough inspections by experienced users or affected OS and software vendors. In the meantime, don’t lose sleep.