‘BootHole’ vulnerability CVE-2020-10713 exposes billions of devices running on Windows and Linux like Red Hat, Canonical, SuSE, Oracle, VMWare, Citrix, etc. using GRUB2 or Secure Boot
A severe vulnerability in boot loader “GRUB2” and Secure Boot allows potential hackers to execute arbitrary code during the boot process. Security researchers from Eclypsium have discovered a new “BootHole” vulnerability, which affects most Linux distributions and Windows devices using GRUB2 bootloader with Secure Boot.
The researchers named the vulnerability as BootHole as it allows potential hackers to target the booting process in PC/laptop/servers and implement their own arbitrary code. The BootHole vulnerability mainly exists in GRUB2.
What is GRUB2?
GRUB2 (the GRand Unified Bootloader version 2) is a replacement for the original GRUB Legacy boot loader. GRUB2 has an entirely separate code base from GRUB Legacy and features a new shell-like syntax for advanced scripting capabilities. GRUB2 is one the primary bootloader for all major Linux distros like Red Hat, Canonical’s Ubuntu, SuSE, Oracle, VMWare, Citrix, etc. It is also used in Windows, macOS, and BSD run PC/laptops and servers.
Since GRUB2 is the most popular and used bootloader in Linux distros, most Linux-based systems are now vulnerable to attacks. The vulnerability is so severe that even when Secure Boot is enabled, potential hackers can gain near-total control of the victim’s PC/laptop or server.
GRUB2 BootHole CVE-2020-10713 vulnerability
The BootHole vulnerability has been assigned a unique identifier CVE-2020-10713 and has a highly critical score of 8.2/10. The Eclypsium researchers have revealed the details of the CVE-2020-10713 on their website.
For successful BootHole vulnerability exploitation, hackers would need administrator privileges on the target PC/laptop, but it allows the installation of malicious boot kits and boot loaders, which can be used to control malware such as execution, modification of the boot process, and alteration of the OS kernel. Researchers say BootHole allows attackers to tamper with the GRUB2 component to insert and execute malicious code during the boot-loading process, effectively allowing attackers to plant code that has full control of the OS, launched at a later point.
BootHole may become a wormable malware as cybercriminals could write a bootkit based on it. Such BootHole bootkit malware may survive on the device despite having anti-virus or security software as it dwells in the motherboard physical memory in locations separate from the actual OS, allowing it to survive OS reinstalls.
The vulnerability makes it possible to cause a buffer overflow in the processing of the file “grub.cfg” in “GRUB2” and execute arbitrary code before the OS boots. Since the file exists outside the partition of the EFI system, it can be modified without affecting the integrity of the signature and secure boot is avoided.
Patch your Linux distros against the BootHole flaw
Eclypsium has already contacted all GRUB2 users and is coordinating with them to fix the BootHole vulnerability. Eclypsium says that the following companies are issuing/will issue fixes for the BootHole vulnerability:
- UEFI Security Response Team (USRT)
- Red Hat (Fedora and RHEL)
- Canonical (Ubuntu)
- SuSE (SLES and openSUSE)
- Dozens of other OEMs and software makers
Red Hat has already issued a patch for the BootHole vulnerability for some versions and Red Hat is still in process of patching other instances for as well.
|Red Hat Enterprise Linux 7||shim||Fixed||RHSA-2020:3217||July 30, 2020|
|Red Hat Enterprise Linux 8||shim||Fixed||RHSA-2020:3216||July 30, 2020|
|Red Hat Enterprise Linux 7||kernel-rt||Affected|
|Red Hat Enterprise Linux 8||kernel-rt||Affected|
|Red Hat Enterprise MRG 2||kernel-rt||Not affected|
|Red Hat Enterprise Linux 7||kernel-alt||Not affected|
|Red Hat Enterprise Linux 7||kernel||Affected|
|Red Hat Enterprise Linux 8||kernel||Affected|
|Red Hat Enterprise Linux 7||grub2||Fixed||RHSA-2020:3217||July 30, 2020|
|Red Hat Enterprise Linux 8||grub2||Fixed||RHSA-2020:3216||July 30, 2020|
The dev team of Debian says they are working on fixing the GRUB2’s source code. The BootHole vulnerability is expected to be patched in the upcoming Debian 10.5 point release on August 1, 2020.
SUSE has also released fixes for the vulnerable SUSE instances. You can get all the information from SUSE here. Canonical said that it has updated Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS with BootHole patch GRUB2 bootloader in 2.06.
Windows 10 users will have to wait for the patch according to Microsoft advisory. The Microsoft Security Bulletin says that The flaw “extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority”, and would require a “coordinated efforts from a variety of entities” to fix it, suggesting any fix will be slow to roll out. Presently, Microsoft suggests that Windows 10 users should monitor the UEFI bootloaders and firmware real-time and, verify UEFI configurations and test recovery capabilities.