As many experts anticipated, patches for the BootHole vulnerability in the GRUB2 bootloader that is used by all major Linux distributions are causing problems and preventing some users from booting their systems.
While the list of affected distros only included Red Hat yesterday, it has now expanded to include users of Ubuntu [1, 2, 3], Debian, CentOS [1, 2], and Fedora.
Microsoft security researcher Kevin Beaumont, also reports issues in cloud environments, namely where “a bug in cloud-init is causing problems across major cloud providers with Grub, such as Digital Ocean and Azure, having the same impact: patched systems then fail to boot.”
What is BootHole
Details about the BootHole vulnerability were published earlier this week, on Wednesday. Discovered by security firm Eclypsium, the vulnerability impacts GRUB2, a bootloader component used to help launch operating systems on servers and desktops.
GRUB2 is currently the default bootloader on all major Linux systems but is also used for Windows, in some scenarios, such as a custom bootloader or for dual-boot purposes.
The BootHole vulnerability allows attackers or malware to modify the GRUB2’s config file and insert malicious code in the bootloader, and inherently the operating system that it launches.
Systems using GRUB2 in a Secure Boot mode were also deemed vulnerable, as the GRUB2 config file is not protected by the Secure Boot process checks.
The vulnerability was deemed serious enough that all major Linux distros had patches ready when Eclypsium went public with its research earlier this week.
Most experts anticipated problems
The issues were to be expected, Kelly Shortridge, VP of cybersecurity firm Capsule8, said in a blog post this week, where she analyzed the impact of the BootHole vulnerability on system administrators.
The issues primarily arise because patching BootHole involves dancing around advanced cryptography, the safety checks of the Secure Boot process, and working with an allowlist-denylist managed by Microsoft, everyone expected issues to arise.
And so they did. As ZDNet reported yesterday, the first issues were reported with Red Hat, but more bug reports are now coming in from other distros.
Because a bug in GRUB2 usually stops the entire OS from booting, the issues result in downtime for those affected. In all cases, users reported that downgrading systems to a previous release to reverse the BootHole patches usually fixed their problems.
Regardless of the reported problems, users are still advised to apply the BootHole patches, as security researchers expect this bug to be weaponized by malware operators at some point in the future — primarily because it allows malware to implant a bootkit component on infected systems that operates below the antivirus level and survive OS reinstalls.