BootHole Secure Boot Threat Confirmed for Linux and Windows Devices
A highly rated security vulnerability has been confirmed in the Secure Boot feature of most laptops, desktops, workstations, and servers. Here is what you need to know about BootHole.
Eclypsium security researchers discovered a vulnerability that affects the bootloader used by “virtually all” Linux systems, and almost all Windows devices that use Secure Boot with the Unified Extensible Firmware Interface Certification Authority (UEFI). Microsoft standard.
What is BootHole?
CVE-2020-10713, called BootHole, has a high CVSS rating of 8.2 and is in the default GRand Unified Bootloader 2 (GRUB2), but it affects systems running Secure Boot even if they are not using GRUB2.
If exploited successfully, BootHole opens Windows and Linux devices to arbitrary code execution during the boot process, even when Secure Boot is enabled. Which means an attacker could gain persistence for the stealthily installed malware and give them “almost full control” over the device, according to Eclypsium.
The industry response to this threat, discovered in April 2020, has been a joint effort by multiple providers sharing information to come up with a solution.
The result is a coordinated global outreach today. The likes of Canonical, Microsoft, Red Hat, SUSE, Debian, Citrix, Oracle and VMware are announcing warnings and mitigations today, with some updates available immediately, others still to come.
A billion devices could be at risk, maybe more
I asked John Loucaides, vice president of research and development at Eclypsium, how many devices are at risk from the BootHole vulnerability. “The default setting allows for safe startup with the Microsoft UEFI certification authority that has signed many vulnerable versions of GRUB on almost all devices sold with Windows logo certification since Windows 8,” he says.
Because Secure Boot is the default for most systems sold since Windows 8, Eclypsium noted that this means that “most laptops, desktops, servers, and workstations are affected, as well as network devices. ” A number that could easily exceed a billion.
I also spoke to Joe McManus, director of security for Canonical, which publishes Ubuntu. “This is an interesting vulnerability, and thanks to Eclypsium, Canonical, along with the rest of the open source community, has updated GRUB2 to defend against CVE-2020-10713,” he says.
Which is good, but McManus revealed to me that “during this process, we identified seven more vulnerabilities in GRUB2 that will also be fixed in updates released today.” It’s a great example of cooperation within the open source software community, and beyond, that’s for sure.
How concerned should you be about this secure boot hijacking threat to your devices?
The UEFI secure boot process and the part that GRUB2 plays is highly technical. If you want all the twisted details, I highly recommend reading the Eclypsium report “There is a hole on boot” or the GRUB2 Secure Boot Bypass article from the Ubuntu Knowledge Base.
The condensed version is that UEFI Secure Boot uses cryptographic signatures to validate code integrity as needed during the boot process and, as already mentioned, it is the default standard for most laptops, desktops, and servers.
Every bit of firmware and software is verified before it is executed, and unrecognized bits are not executed.
As you can imagine, determining who can sign the code you trust the Secure Boot Database is quite important, and the third party UEFI (CA) certification authority is the industry standard.
Open source projects and others use a shim, a small application, to hold the provider’s certificate and the code to verify and run the GRUB2 bootloader. That wedge is verified using Microsoft’s third-party UEFI CA before the GRUB2 bootloader is loaded and verified.
BootHole is a buffer overflow vulnerability that involves how GRUB2 parses the configuration file and allows an attacker to execute arbitrary code and gain control over the startup of the operating system.
BootHole’s Real-World Threat
If you can feel a ‘but’ approaching, it’s because there is one: but only if the attacker is already on the system and has elevated privileges. This is not a remote code execution vulnerability; if it were, I imagine that instead of being a highly rated vulnerability it would be critical.
“The bootkit attacks that Secure Boot aims to protect against are often used for persistence, disruption, or circumvent other security measures,” says Loucaides, adding that “recent ransomware campaigns have attacked boot managers in new UEFI systems “. Because Secure Boot would continue to operate normally, Loucaides told me, “Hypothetically, this would also be a good way to hide an attack for a long time, stealing credentials, or waiting to flip a kill switch.”
However, an expert on threat intelligence and Cyjax CISO, Ian Thornton-Trump, is not overly concerned. “I am reluctant to push the full panic button on this issue,” he says, “the weaponry has to rely on a chain of exploits, layered security flaws, to launch an attack to gain access to the boot of the boot operating system.”
So while it is a widespread vulnerability that affects almost all platforms, in theory Thornton-Trump says that “the threat landscape is exploiting much more readily available attack surfaces such as process hijackings and DLL injection ” Joe McManus also says that “he doesn’t see it as a popular vulnerability used in nature.”
I contacted Microsoft, and a spokesperson told me that I was “aware of a vulnerability in the Grand Unified Boot Loader (GRUB), commonly used by Linux”, and that Microsoft is “working to complete validation and compatibility testing of a Windows Update Package. ”
I understand that when the relevant Windows Update is available, customers will be notified via a review of the security advisory released as part of today’s coordinated disclosure and will include a mitigation option to install as an untested update.
Linux Provider’s Response to BootHole
Peter Allor, director of product security at Red Hat, said: “We are working closely with the Linux community as well as our industry partners to deliver updates to affected Red Hat products, including Red Hat Enterprise Linux.”
A Debian spokesperson told me that “Debian is working with the rest of the Linux community to prepare updates to address this vulnerability. Security is very important to us, our users, and our community.” More information can be found here.
A SUSE spokesperson says, “We are aware of the Linux vulnerability called BootHole that Eclypsium shares today, and our customers and partners can rest assured that we have released fixed GRUB2 packages that close the BootHole vulnerability for all SUSE Linux products today and we are releasing updates for Linux kernel packages, cloud imaging and installation media. “
So to summarize, patches for GRUB2 will be available to address the vulnerability with Linux distributions and other vendors updating their installers, bootloaders, and wedges.
The new wedges must be signed by the third-party UEFI CA of Microsoft, and the administrators of the affected devices must update the installed versions of the operating systems in the field, as well as the images of the installer, including the means of disaster recovery. The UEFI revocation list in the firmware of each affected system will eventually need to be updated to prevent BootHole from being exploitable during boot.
.
