As many experts anticipated, patches for the BootHole vulnerability in the GRUB2 bootloader used by all major Linux distributions are causing problems and preventing some users from starting their systems.
While the list of affected distributions only included Red Hat yesterday, it has now been expanded to include Ubuntu users. [1, 2, 3], Debian, CentOS [1, 2]and Fedora.
Microsoft security researcher Kevin Beaumont also reports problems in cloud environments, that is, “a bug in cloud-init is causing problems in major cloud providers with Grub, such as Digital Ocean and Azure, which have the same impact : Patched systems do not start “.
What is BootHole?
Details about the BootHole vulnerability were released earlier this week on Wednesday. Discovered by security company Eclypsium, the vulnerability affects GRUB2, a component of the bootloader used to help launch operating systems on servers and desktops.
GRUB2 is currently the default bootloader on all major Linux systems, but is also used for Windows, in some scenarios, as a custom bootloader or for dual boot purposes.
The BootHole vulnerability allows attackers or malware to modify the GRUB2 configuration file and insert malicious code into the bootloader, and inherently the starting operating system.
Systems that use GRUB2 in a secure boot mode were also considered vulnerable, as the GRUB2 configuration file is not protected by checks of the secure boot process.
The vulnerability was deemed serious enough that all major Linux distributions had patches ready when Eclypsium released its research earlier this week.
Most experts anticipated problems
The problems were to be expected, Kelly Shortridge, vice president of cybersecurity firm Capsule8, said in a blog post this week, where she analyzed the impact of the BootHole vulnerability on system administrators.
The issues mainly arise because patching BootHole involves dancing around advanced cryptography, security checks of the Secure Boot process, and working with a permission-denial list managed by Microsoft – everyone expected issues to arise.
And they do it like that. As ZDNet reported yesterday, the first issues were reported with Red Hat, but now more bug reports are coming in from other distributions.
Because an error in GRUB2 generally stops the full startup of the operating system, the problems result in downtime for those affected. In all cases, users reported that downgrading systems to an earlier version to roll back BootHole patches generally solved their problems.
Regardless of the reported issues, users are encouraged to apply BootHole patches, as security researchers expect this bug to be put together by malware operators at some point in the future, primarily because it allows malware to implant a component of bootkit on infected systems that operates below the antivirus level and survives reinstallation of the operating system