Security researchers at Eclypsium have disclosed a serious vulnerability in the GRUB2 bootloader that could be used by cyber criminals to take “near total control” of Linux systems during the boot process and install “persistent and stealthy” bootkits or malicious bootloaders that will operate even it Secure Boot is enabled and functioning correctly.
Dubbed BootHole, the 8.2 CVSS-rated vulnerability affects systems using almost every signed version of GRUB2, which means that virtually every Linux distribution is affected.
However, the problem is understood to be even more extensive than just Linux – GRUB2 is also used to support other operating systems, kernels and hypervisors such as Xen, and the issue also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party Unified Extensible Firmware Interface (UEFI) Certificate Authority – so most laptops, desktops, servers and workstations are at risk.
Separate advisories and updates are expected to be released imminently by Microsoft, the UEFI Security Response Team, Oracle, Red Hat, Canonical, SuSE, Debian, Citrix, VMware and a number of other OEMs and software suppliers, said Eclypsium.
Because the boot process is such a fundamentally important part of how computers work, being able to compromise it means attackers can control how the entire system’s operating system is loaded and subvert pretty much any higher-layer security control that exists.
This particular bug is a buffer overflow vulnerability in how GRUB2 parses content from its configuration file. This enables arbitrary code execution within GRUB2 and control over the boot process. It requires an attacker to have elevated privileges but, as a result, lets them modify the contents of the configuration file to ensure attack code runs before the OS loads, and gain persistence on the device, again regardless of the presence or functionality of Secure Boot.
Ultimately, an actor who successfully exploits the vulnerability could use it to execute a variety of other malicious actions, including exfiltrating data or installing malware or ransomware.
“Eclypsium has coordinated the responsible disclosure of this vulnerability with a variety of industry entities, including OS vendors, computer manufacturers and CERTs,” the firm said in a disclosure blog post, which can be read in full here.
“Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack,” it said. “This will likely be a long process and take considerable time for organisations to complete patching.”
There are a number of reasons for this, not least because UEFI-related updates have a notable history of bricking devices and having to be withdrawn in a hurry, so those affected will need to be cautious in how they proceed.
Eclypsium recommended that IT and security teams check to ensure they have appropriate capabilities for monitoring UEFI bootloaders and firmware and verifying UEFI configurations in their systems, and thoroughly test recovery capabilities as updates become available (including factory reset settings).
In the meantime, it is important to monitor extensively for any threats or that are known to use vulnerable bootloaders to infect targets.