A new vulnerability targeting GRUB2 bootloader has been found in billions of devices including desktops, laptops, severs, and IoT devices that run on Linux distros and Windows. Named BootHole and tracked as CVE-2020-10713, this vulnerability allows malicious actors to get past the Secure Boot feature and gain root privileges to systems.
Secure Boot is a feature used in Unified Extensible Firmware Interface (UEFI) that helps in loading the crucial components, drivers, files, and the operating system after confirming that the executed boot process had properly validated codes during the booting. This feature is designed in such a way that if the code is not authorized, the booting sequence will not be processed even with admin privileges.
BootHole is a buffer overflow vulnerability that exploits most versions of the GRand Unified Boot Loader (GRUB2) when it parses content, allowing hackers to breach the device and gain root access to it. GRUB2 is used by Linux and Windows with kernels and hypervisor systems as a regular bootloader.
Since it's a buffer overflow flaw, the hacker will gain arbitrary code execution that would be further used to deploy malicious programs, and change the booting norms and OS kernels.
This flaw can be exploited in Windows if the attackers replace the existing GRUB2 version with an old one and deploy rootkit malware programs. Here's the detailed report of the BootHole vulnerability, how it breaches into GRUB2, and the mitigation procedures for dealing with it.
Just like many other vulnerabilities a simple patch should have fixed this, but unfortunately fixing this flaw isn't that easy. At the moment, deploying a patch is not a permanent fix, as the cyber criminals can still replace the patched bootloader version with a vulnerable one and breach into devices.
A permanent solution would be to launch the new bootloaders, and remove the vulnerable ones simultaneously to prevent attackers from redeploying the vulnerable versions. This is a two-stage mitigation procedure that can only be implemented by the affected vendors and has to be approved by Microsoft third party UEFI.
After this, the firmware of affected systems must be updated to not execute this malicious code during their boot processes. Furthermore, because of the complex nature of these mitigation procedures, getting the final fix will take time.
However, as of now, Microsoft is working on a fix and has mentioned in its advisory that it is working to validate and approve the solution for this problem. Users are advised to update their systems as soon as the security patches are rolled out. Here are the advisories from Red Hat, Debian, and SUSE.
It's important to update your devices as soon as patches are available. If you're a IT administrator manually managing multiple devices, it may be time to look into investing in a patch management solution to ensure device security.
Not sure where to start? ManageEngine Patch Manager Plus is an exclusive multi-platform patching tool and ManageEngine Endpoint Central is a unified endpoint management solution, both of which are available to try free for 30 days.
