Bug in widely used bootloader opens Windows, Linux devices to persistent compromise
A vulnerability (CVE-2020-10713) in the widely used GRUB2 bootloader opens most Linux and Windows systems in use today to persistent compromise, Eclypsium researchers have found. The list of affected systems includes servers and workstations, laptops and desktops, and possibly a large number of Linux-based OT and IoT systems.
What’s more, the discovery of this vulnerability has spurred a larger effort to audit the GRUB2 code for flaws and, as a result, seven CVE-numbered flaws and many others without a CVE have been brought to light (and have or will be fixed).
CVE-2020-10713, named “BootHole” by the researchers who discovered it, can be used to install persistent and stealthy bootkits or malicious bootloaders that will operate even when the Secure Boot protection mechanism is enabled and functioning.
“The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” the researchers explained.
“In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders.”
The researchers have done a good job explaining in detail why the why, where and how of the vulnerability, and so did Kelly Shortridge, the VP of Product Management and Product Strategy at Capsule8. The problem effectively lies in the fact that a GRUB2 configuration file can be modified by attackers to make sure that their own malicious code runs before the OS is loaded.
The only good news is that the vulnerability can’t be exploited remotely. The attacker must first gain a foothold on the system and escalate privileges to root/admin in order to exploit it. Alternatively, they must have physical access to the target system.
The real danger, according to Shortridge, is if criminals incorporate this vulnerability into a bootkit, license it to bot authors, who will deploy or sell the bootkit-armed bots.
“This pipeline will not pop out pwnage overnight, so the question becomes whether mitigations can be successfully rolled out before criminals can scale this attack,” she noted.
A complex mitigation process
The main problem is that fixing this flaw on such a great number of systems will be a massive, complex and partly manual undertaking.
“Full mitigation of this issue will require coordinated efforts from a variety of entities: affected open-source projects, Microsoft, and the owners of affected systems, among others,” Eclypsium researchers noted.
“This will include: updates to GRUB2 to address the vulnerability; Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims [a small app that contains the vendor’s certificate and code that verifies and runs the GRUB2 bootloader]; new shims will need to be signed by the Microsoft 3rd Party UEFI CA; administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media; and eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.”
Again, both Eclypsium and Shortridge helpfully explained in detail the whole process and the dangers it holds for organizations. In addition to the complex hoop jumping of the mitigation process, orgs should also be monitoring their systems for threats and ransomware that use vulnerable bootloaders to infect or damage systems.
Eclypsium researchers have provided recommendations and have linked to the various reference materials by Microsoft, Debian, Canonical, Red Hat, HPE, SUSE, VMware and others who need to help users and admins fix the problem.
They’ve also powershell and bash scripts to help administrators identify certificates revoked by the various OS vendors when they push out security updates for CVE-2020-10713.
Other discovered vulnerabilities
After being notified of the existence of BootHole, Canonical (the company that develops Ubuntu) and others went in search for other security holes in GRUB2. They discovered seven related vulnerabilities, whose mitigations are included in today’s release for Ubuntu and other major Linux distributions.
“Given the difficulty of this kind of ecosystem-wide update/revocation, there is a strong desire to avoid having to do it again six months later,” Eclypsium researchers noted.
“To that end, a large effort — spanning multiple security teams at Oracle, Red Hat, Canonical, VMware, and Debian — using static analysis tools and manual review helped identify and fix dozens of further vulnerabilities and dangerous operations throughout the codebase that do not yet have individual CVEs assigned.”
UPDATE (July 31, 2020, 2:45 a.m. PT):
The patches provided by Ubuntu, Debian, Red Hat, CentOS and Mint for CVE-2020-10713 are preventing systems from booting.
“The provided solution has again, unfortunately, become worse than the vulnerability for most people,” noted Microsoft cybersecurity professional Kevin Beaumont.
“A primary concern with security (and in business) is availability. As an industry we also need to be better at careful analysis of vulnerabilities, and staggered testing of patches.