Secure boot, despite the name, is not as secure as we would like. Eclypsium security company discovered a security hole in GRUB2: Boothole. GRUB2 is known to Linux users as one of the most widely used boot loaders. As such, this security issue makes any machine potentially vulnerable to a possible attack: the keyword is “potentially”.
BootHole allows hackers to insert and execute malicious code during the boot load process. Once planted there, the nasty bootkit payload can allow attackers to plant code that will then take over the operating system. Fortunately, developers of Linux distributions were warned of this problem, and most of them have already released patches.
Also, to use BootHole, a hacker has to edit grub.cfg, the GRUB2 configuration file. Therefore, to successfully attack a Linux system, an attacker must already have root level access to the target system. Speaking in practical terms, that hacker has already compromised the system. With such access, attackers can modify the grub.cfg values to trigger a buffer overflow, which can then be used to insert a malware payload.
While Eclypsium found the initial GRUB2 problem, Linux developers found other hidden problems within GRUB2. Joe McManus, director of security engineering for Canonical, said:
Thanks to Eclypsium, we at Canonical, along with the rest of the open source community, have updated GRUB2 to defend against this vulnerability. During this process, we identified seven additional vulnerabilities in GRUB2, which will also be fixed in the updates released today. The attack itself is not a remote exploit and requires the attacker to have root privileges. With that in mind, we don’t see it as a popular vulnerability used in nature. However, this effort really exemplifies the community spirit that makes open source software so secure. ”
Red Hat is also on the case. Peter Allor, director of product security at Red Hat, said:
“Red Hat is aware of a flaw (CVE-2020-10713) on GRUB 2. Product Security has conducted a thorough analysis and understands not only how this flaw affects Red Hat products, but most importantly, how this affects the Linux kernel. Our PSIRT has been working closely with engineering teams, cross-functionals, the Linux community and our industry partners to offer currently available updates for affected Red Hat products, including Red Hat Enterprise Linux. “
Marcus Meissner, the leader of the SUSE security team, points out, however, that while the problem is serious and needs a patch, it’s not too bad. He observed:
“Given the need for root access to the bootloader, the described attack appears to have limited relevance to most cloud computing, data center, and personal device scenarios, unless these systems are already compromised by another attack However, it creates an exposure when unreliable users can access a machine, for example, bad actors in classified computing scenarios or computers in public spaces that operate in unattended kiosk mode. “
So the moral of the story is that while you should patch your Linux system, this security hole is really only an issue in very few limited situations.
