![]() ![]() ![]() Advisories galoreĪs anticipated, after Eclypsium released the details about BootHole, multiple organizations have published advisories about the vulnerability, explaining consequences of leaving it unpatched and providing recommendations. However, these coordinated efforts are unlikely to produce an effect soon because signing and deploying new bootloaders, and revoking the vulnerable ones is not something that can be done quickly. Advisories and mitigations are expected to be released today from multiple organizations in the industry. A long way to the fixĮclypsium has already disclosed the vulnerability with OS vendors, computer makers, and CERTs. This includes servers, workstations, laptops, desktops, along with Linux-based IoT systems and operational technology hardware. The researchers believe that most modern systems in use today are impacted by BootHole. And while this bootloader is associated with Linux, dual-boot systems with Windows are also affected. This means that all versions of GRUB2 that load commands from an external configuration file are vulnerable. “The buffer overflow allows the attacker to gain arbitrary code execution within the UEFI execution environment, which could be used to run malware, alter the boot process, directly patch the OS kernel, or execute any number of other malicious actions" - Eclypsium Affected devicesĮclypsium says only one bootloader tool vendor added custom code to run a signature check on “grub.cfg” on top of the verification performed on the GRUB2 executable. The reward would be “powerful additional escalation of privilege and persistence on the device, even with Secure Boot enabled and properly performing signature verification on all loaded executables.” However, the effort is worth it for some actors. ![]() Malware added this way is highly persistent as it survives an OS reinstall.ĭespite the damage it can do, BootHole has a severity score of 8.2 (high) because editing the configuration file requires administrative privileges. Threat actors could modify “grub.cfg” because it is just a text file that typically lacks any integrity protections such as a digital signature as is the case of other components of the bootloader.Ĭhanging GRUB’s configuration file allows control over the booting process. Security researchers at firmware and hardware security firm Eclypsium found a buffer overflow (CVE-2020-10713) that in the way GRUB2 parses content from its configuration file, “grub.cfg,” located externally, in the EFI System partition. An attacker could use it to plant malware known as bootkit that loads before the operating system (OS).Ĭompromising a system this way confers the malware the highest privileges and makes it virtually undetectable as it is already running when security solutions on the OS become active. When properly exploited, it could allow threat actors to compromise an operating system’s booting process even if the Secure Boot verification mechanism is active.Īptly named BootHole, the flaw permits executing arbitrary code in GRUB bootloader. A severe vulnerability exists in almost all signed versions of GRUB2 bootloader used by most Linux systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |