One of the major security vulnerabilities in the Secure Boot service has been confirmed for maximum laptops, desktops, desktops, and servers. Here’s what you want to know about BootHole.
Eclypsium security researchers have discovered a vulnerability affecting the bootloader used on “virtually all” Linux systems and almost all Windows Secure Boot devices with Microsoft’s popular UNified Extensible Firmware Interface (UEFI) certification authority.
CVE-2020-10713, nicknamed BootHole, has a higher CVSS score of 8.2 and is in GRand Unified Bootloader 2 by default (GRUB2), but affects secure boot systems even if they don’t use GRUB2.
If operated effectively, BootHole opens Windows and Linux devices to execute arbitrary code during the startup process, even when Secure Boot is enabled. This means that an attacker can simply gain patience with the malware installed stealthily and give it “almost total control” over the device, according to Eclypsium.
The industry’s reaction to this threat, discovered in April 2020, is a joint effort through several providers that share data to find a solution.
The result is now a coordinated global outreach. Companies like Canonical, Microsoft, Red Hat, SUSE, Debian, Citrix, Oracle and VMware are rolling out patches and mitigation measures today, with some updates available immediately, others still to come.
I asked John Loucaides, vice president of studies and progression at Eclypsium, how many devices are threatened by the BootHole vulnerability. “The default setting enables secure startup with the Microsoft UEFI Certification Authority that has signed many vulnerable GRUB versions on almost all devices sold with Windows 8 logo certification,” he says.
Because Secure Boot is the default for maximum systems sold since Windows 8, Eclypsium noted that this means that “most laptops, desktops, servers, and desktop computers are affected, as well as network devices.” A number that can exceed a billion.
I also spoke to Joe McManus, Director of Security at Canonical, who publishes Ubuntu. “It’s an attractive vulnerability, and thanks to Eclypsium, Canonical, along with the rest of the open source community, has GRUB2 updated to protect against CVE-2020-10713,” he says.
Which is fine, however McManus revealed to me that “during this process, we have known seven other vulnerabilities in GRUB2 that will also be fixed in the updates released today.” It’s a wonderful example of cooperation within the open source software community, and beyond that, that’s for sure.
UEFI’s safe start-up procedure and the role played through GRUB2 are very technical. If you need all the thorny details, I suggest you read the Eclypsium report “There’s a gap at startup” or the article on how to bypass the Ubuntu GRUB2 Safe Boot Knowledge Base.
The abbreviated edition is that UEFI Secure Boot uses cryptographic signatures to validate code integrity as needed in the startup procedure and, as already mentioned, is the popular default for the maximum number of laptops, desktops, and servers.
Each bit of firmware and software is checked before running it, and unidentified ones do not run.
As you can imagine, it is very important to know who can point to the code approved through the Secure Boot database, and the Microsoft third-party UEFI certification authority is the industry standard.
Open source projects and others use a shim, a small application, to involve the certificate and vendor code to determine and run the GRUB2 boot loader. This wedge is verified by Microsoft’s third-party UEFI certification authority before loading the wedge and verifies the GRUB2 boot loader.
BootHole is a buffer overdrive vulnerability that involves how GRUB2 parses the configuration log and allows an attacker to execute arbitrary code and take the operational startup formula.
If you can feel that a “yet” is coming, it is because there is one: still only if the attacker is already in the formula and has the maximum privileges. This is not a remote code execution vulnerability; if that were the case, I think rather than being a top-notch vulnerability, it would be a critical vulnerability.
“The secure bootkit attacks that Boot intends to protect are sometimes used for persistence, disruption or other security measures,” says Loucaides, adding that “recent ransomware campaigns have attacked bootloaders on newer UEFI systems.” Because Secure Boot would continue to function normally, Loucaides told me, “hypothetically, it would also be a smart way to hide an attack for a long time, use borrowed credentials, or wait to activate a shutdown switch.”
However, the risk intelligence of Cyjax and RSSI’s Thornton-Trump ian are rarely too concerned. “I am reluctant to press the full panic button on this issue,” he says, “your weaponry will have to rely on a number of exploits, layered security flaw, to launch an attack in order to access the start-up of the operational formula loader.”
So, this is in fact an incredibly widespread vulnerability, affecting almost every platform, in theory, Thornton-Trump states that “the risk landscape is much more easily exploited from attack surfaces, such as procedural deviations and DLL injection.” Joe McManus also says that “he doesn’t see this as a popular vulnerability used in nature.”
I contacted Microsoft and a spokesperson told me that “I was aware of a vulnerability in the Large Unified Boot Loader (GRUB), commonly used on Linux,” and that Microsoft “is looking for full validation and compatibility testing for a Windows update package.”
I sense that when the proper Windows update becomes available, consumers will be notified through a review of the security notice issued as a component of today’s coordinated disclosure and will come with a mitigation option that will be installed as an unproven update.
Peter Allor, Red Hat’s director of product security, said, “We are working heavily with the Linux network as well as our industry partners to provide updates to the Red Hat products involved, adding Red Hat Enterprise Linux.”
A Debian spokesperson told me that “Debian is running with the rest of the Linux network to prepare updates to address this vulnerability. Security is very important to us, our users and our network.” More data can be found here.
A SUSE spokesperson said: “We are aware of the Linux vulnerability called BootHole shared through EclypsiumArray and our consumers and partners can be assured that we have released fixed GRUB2 packages that close the BootHole vulnerability for all Linux SUSE products and release the corresponding updates for Linux. main packages, cloud symbol and installation support.”
Then, in short, patches will be created for GRUB2 to resolve the vulnerability with Linux distributions and other vendors by updating their installers, bootloaders, and stickers.
The new suspensions must be signed through Microsoft’s third-party UEFI certification authority, and the directors of the affected devices will want to update the installed versions of the operational formulas in the box, as well as photographs of the installation program, adding crisis recovery media. The UEFI revocation list in the firmware of each affected formula will eventually want to be up-to-date to prevent BootHole from being an exploitable startup.
I have been a generation journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994. Three-time BT winner
I have been a generation journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994. Three-time winner of the BT Security Journalist of the Year Award (2006, 2008, 2010) also fortunate enough to be named BT’s Tech Journalist of the Year in 1996 for a future feature in PC Pro called “Internet Threats”. In 2011, I won the Enigma Award for my lifelong contribution to computer security journalism. Contact me with confidence [email protected] if you have a story to reveal or a search to share.