BootHole GRUB2 Execution Vulnerability

BootHole is a buffer overflow vulnerability in the GRUB2 boot loader used by both Linux and Windows UEFI Secure Boot operating systems. It can be exploited by an attacker with administrative rights to execute arbitrary code on a system before the OS kernel is loaded.

Threat ID:: CC-3585
Threat Severity:: Medium
Published:: 30 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: Most popular distributions

Linux

Versions: all systems using UEFI Secure Boot with Microsoft's UEFI CA

Microsoft Windows

The following platforms are also known to be affected:

Any hardware root-of-trust mechanism using UEFI Secure Boot

Threat details

Introduction

Security researchers have released details of buffer overflow vulnerability affecting the GRUB2 boot loader called BootHole. They claim that a local authenticated attacker could exploit this vulnerability to gain arbitrary code execution (ACE) capability.

The Grand Unified Bootloader

The GRand Unified Bootloader 2, or GRUB2, is an open-source multiboot-capable boot loader. A boot loader is the first software program executed when a computer system is turned on, and is responsible for loading the operating system kernel.

GRUB2 is used by almost all Linux distributions as standard, and is the default loader specified for systems using Microsoft's UEFI Certificate Authority.

Vulnerability details

BotHole is a result of a flaw in the way GRUB2 parses information contained within its configuration file, grub.cfg. This file is typically located in the EFI system partition; an area of the hard disk used to store UEFI firmware, device drivers, kernel images, and system-level utilities, and can be accessed by administrative users.

An attacker with administrative rights is able to edit grub.cfg to cause GRUB2 to arbitrarily run any code they choose before the OS kernel, such as boot kits.

Remediation advice

Most operating systems vendors have, or are in the process of, produced preliminary updates to address BootHole in their products, Affected organisations are encouraged to contact their relevant suppliers to obtain and apply the necessary updates.

Vendor with available updates (note this list may not be comprehensive):

Please note that due to the importance of GRUB2 to any OS using it, it is likely vendors will be slower to address BootHole as they ensure any updates do not adversely affect their products.

Definitive source of threat updates

CVE Vulnerabilities

Status Master

CVE-2020-10713

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Last edited: 5 August 2020 3:14 pm