Companies affected by the recently disclosed GRUB2 bootloader vulnerability dubbed BootHole have started releasing advisories to inform customers about the impact of the issue on their products.
Firmware security company Eclypsium revealed on Wednesday that billions of Windows and Linux devices are affected by a potentially serious vulnerability that can be exploited to install stealthy and persistent malware. The firm says the weakness affects devices that use Secure Boot, a feature designed to protect the boot process against untrusted code execution.
The security hole, officially tracked as CVE-2020-10713, impacts laptop, desktop, workstation and server devices, as well as network appliances and equipment used in the healthcare, industrial and financial sectors.
The vulnerability is a buffer overflow related to how GRUB2 parses its grub.cfg configuration file. An attacker with admin privileges on the targeted system can modify this file so that their malicious code is executed in the UEFI environment before the OS is loaded.
Several other flaws related to GRUB2 have been identified during investigations into BootHole.
Secure Boot is designed to ensure that the code executed when a device boots is trusted. For this purpose it uses two databases containing lists of digital signatures associated with trusted code (DB) and digital signatures associated with prohibited code (DBX).
Preventing BootHole attacks will require replacing vulnerable bootloaders with an updated version and releasing an update for the DBX database to ensure that the vulnerable bootloaders can no longer be executed. This process requires collaboration between software and hardware vendors.
Shortly after Eclypsium published its report on the BootHole vulnerability, several companies and organizations released advisories to address the issue.
CERT/CC explained, “Linux distributions and other vendors using GRUB2 will need to update their installers, boot loaders, and shims. New shims will need to be signed by the Microsoft 3rd Party UEFI Certificate Authority. Administrators of affected devices will need to update installed versions of operating systems as well as installer images, including disaster recovery media. Until all affected versions are added to the dbx revocation list, an attacker would be able to use a vulnerable version of shim and GRUB2. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.”
The UEFI Forum has made available the files needed to update the Secure Boot DBX database, which includes the now-revoked signatures of previously approved and signed firmware and software. However, the revocation list file is work in progress and at this point it’s mainly recommended for testing purposes.
“Distribution of the data in these files to running systems could cause instability and should only be attempted by security experts and IT professionals. System OEMs can use these files to test their platform firmware,” the UEFI Forum warned.
Microsoft says BootHole impacts Windows 10, 8.1, Server 2012, Server 2016, Server 2019 and Server versions 1903, 1909 and 2004. The company is working on an update that will be rolled out to users via the Windows Update system.
In the meantime, the company tells customers that they can prevent attacks on Surface devices by changing some UEFI settings.
Windows users can manually install the Secure Boot DBX update from the UEFI Forum, but Microsoft has warned that this update has not been tested and it’s only recommended for professionals and enthusiasts since installing it can result in “unrecoverable failure to boot.”
Red Hat says BootHole impacts Red Hat Enterprise Linux 7 and 8, Atomic Host, and the OpenShift Container Platform 4. The company has advised users to update their grub2 packages and customers using Secure Boot need to update the kernel, fwupdate, fwupd, shim and dbxtool packages, which contain newly validated keys and certificates.
Canonical, whose security team has identified additional GRUB2 vulnerabilities following Eclypsium’s research, has released updated packages for Ubuntu, and says it will provide a packaged DBX update in the future, but told users that until then they can apply a third-party DBX update.
SUSE has published a blog post and provided the following statement to SecurityWeek:
“We’re aware of the Linux vulnerability called BootHole shared by Eclypsium today, and our customers and partners can rest assured we have released fixed grub2 packages which close the BootHole vulnerability for all SUSE Linux products today, and are releasing corresponding updates to Linux kernel packages, cloud image and installation media.
Given the need for physical access to the bootloader, the most likely exposure is when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode. To ensure that sophisticated attackers cannot reinstall old versions of grub2, software and hardware vendors are working together. SUSE Linux Enterprise provides unprecedented reliability, stability and security to the enterprise, and we are committed to keeping our customers’ and partners’ systems up to date and ready to handle everyday business challenges.”
Debian told customers that since Debian 10 (buster) was the first release to include support for Secure Boot, older versions of the operating system may not receive updates. For Debian 10 (buster), developers have already released updated GRUB2, linux, shim, fwupdate and fwupd packages.
Oracle has also published an advisory with the steps customers need to take to obtain and install relevant updates. Oracle says BootHole impacts Oracle Linux, Oracle Solaris, and other operating systems running on Oracle x86 servers.
VMware says CVE-2020-10713 affects Photon OS when configured with Secure Boot, as well as virtual machines running impacted operating systems. The company is working on an update for Photon OS.
The virtualization giant pointed out that exploitation of BootHole inside a VM cannot allow an attacker to compromise the host, but noted that available patches will need to be deployed on both guest and host machines.
HP says it will be providing a SoftPaq to allow users to update the DBX database. The company has shared a long list of business notebook PCs, business desktop PCs, workstations, retail point-of-sale products, Thin Client devices, home notebook PCs, and home desktop PCs impacted by the vulnerability.
*updated on 07/31/2020 with link to Oracle advisory