Secure boot, despite the name, isn’t as secure as we’d like. Security company Eclypsium discovered a security hole in GRUB2: Boothole. Linux users know GRUB2 as one of the most commonly used bootloaders. As such, this security problem makes any machine potentially vulnerable to a possible attack — the keyword is “potentially.”
BootHole enables hackers to insert and execute malicious code during the boot-loading process. Once planted there, the nasty bootkit payload can allow attackers to plant code that later take over the operating system. Fortunately, Linux distro developers were warned of this problem, and most of them have already issued patches.
Besides, to use BootHole, a hacker has to edit grub.cfg, the GRUB2 configuration file. Therefore, to successfully attack a Linux system, an attacker must already have root-level access to the target system. Practically speaking, such a hacker has already compromised the system. With such access, attackers can modify grub.cfg values to trigger a buffer overflow, which can then be used to insert a malware payload.
While Eclypsium found the initial GRUB2 problem, Linux developers found other trouble hiding within GRUB2. Joe McManus, Canonical’s security engineering director, said:
Thanks to Eclypsium, we at Canonical, along with the rest of the open-source community, have updated GRUB2 to defend against this vulnerability. During this process, we identified seven additional vulnerabilities in GRUB2, which will also be fixed in the updates released today. The attack itself is not a remote exploit and it requires the attacker to have root privileges. With that in mind, we do not see it being a popular vulnerability used in the wild. However, this effort really exemplifies the spirit of community that makes open source software so secure.”
Red Hat is also on the case. Peter Allor, Red Hat’s director of productsSecurity, said:
“Red Hat is aware of a flaw (CVE-2020-10713) in GRUB 2. Product Security has conducted a thorough analysis and understands not only how this flaw impacts Red Hat products, but most importantly how this impacts the Linux kernel. Our PSIRT has been working closely with engineering, cross-functional teams, the Linux community as well as our industry partners to deliver currently available updates for affected Red Hat products, including Red Hat Enterprise Linux.”
Marcus Meissner, the lead of the SUSE Security Team, points out, however, that while the problem is serious and needs patching, it’s not that bad. He observed:
“Given the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center, and personal device scenarios, unless these systems are already compromised by another known attack. However, it does create an exposure when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode.”
So, the moral of the story is that, while you should patch your Linux system, this security hole is really only a problem in a very few limited situations.