Billions of devices running modern operating systems like Linux and Windows could be at risk due to a powerful new security vulnerability, new research found.
Security company Eclypsium has discovered a EUFI Secure Boot Vulnerability that allows unrestricted access to affected systems. Virtually all modern servers, client PCs and other PC-based equipment use UEFI, an interface between an OS and the platform firmware. All versions of UEFI have a secure boot framework specifically designed to protect unauthorized access to the machine during the boot process. The framework relies on cryptographic keys to authenticate the code that is allowed to run when the system starts.
The key process that runs the specified operating system loader and transfers the controls to the operating system is called GRUB2 (Grand Unified Bootloader). If this process is compromised, authors can control how the operating system loads and undermine all top-level security controls.
BootHole
Eclypsium discovered a weakness in the way GRUB2 parses its configuration file that allows attackers to run arbitrary code that bypasses signature verification and install persistent and stealthy bootkits or malicious bootloaders to gain control over a system. While attackers can gain unfettered control over a machine, as well as all the secrets it may contain, the computer may function as usual, and administrators may not know it is compromised until it is too late.
Exploiting the GRUB2 vulnerability is not exactly easy, as it requires high-level privileges that can be obtained by an insider or an insider using various means. However, the potential benefits that almost full access can bring seem highly motivating.
On paper, the solution seems simple enough: fix the GRUB2 vulnerability; update installers / boot loaders / wedges for Linux distributions; signs new wedges for Microsoft’s third party UEFI CA; updating operating systems Meanwhile, given the difficulty of updating / revoking the entire ecosystem, correcting the vulnerability for all systems and organizations on the planet will take quite a long time, years, to be exact.
“Complete mitigation of this problem will require coordinated efforts from a variety of entities: affected open source projects, Microsoft and the owners of the affected systems, among others,” an Eclypsium statement said. “However, full implementation of this revocation process will probably be very slow.”
VSource: Eclypsium (via Tom’s hardware)
