Connect with us

Hi, what are you looking for?



Password Bypass Flaw Found in GRUB2 Linux Bootloader

The GRUB2 bootloader is plagued by a serious vulnerability that can be exploited to bypass password protection and compromise the targeted computer.

The GRUB2 bootloader is plagued by a serious vulnerability that can be exploited to bypass password protection and compromise the targeted computer.

Bootloaders are designed to allow users to select which operating system they want to boot when multiple OSs are installed. GNU GRUB (GRand Unified Bootloader) is a free and open source bootloader package developed by the GNU Project. It’s used by the GNU operating system and most Linux distributions.

Hector Marco and Ismael Ripoll of the Polytechnic University of Valencia disclosed the zero-day vulnerability last week at a security conference in Spain. The issue, a buffer overflow that has been assigned the CVE-2015-8370 identifier, affects GRUB2 versions 1.98 (released in December 2009) through 2.02 (released in December 2015)

“The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer,” Marco and Ripoll explained in a blog post published this week.

According to the researchers, users can check if their systems are affected by pressing the backspace key 28 times at the authentication phase. If the computer reboots or a rescue shell is loaded, the GRUB bootloader is vulnerable.

Successful exploitation of this vulnerability results in a GRUB rescue shell, which allows the attacker to authenticate on the system without knowing the username and password. A local attacker can also gain access to information, install a rootkit, or destroy data stored on the disk.

The researchers have described a scenario in which an advanced persistent threat (APT) actor or malicious insiders exploit the vulnerability to plant a piece of malware that can be used to spy on the victim or steal sensitive information, even if it’s encrypted.

However, Marco and Ripoll have pointed out that the attack method they’ve described doesn’t work for all systems. Successful exploitation depends of various factors, including BIOS and GRUB versions and amount of RAM, and a specific exploit needs to be built for each targeted system.

Advertisement. Scroll to continue reading.

A patch has been published to the main GRUB 2 repository. Linux distributions, including Red Hat, Ubuntu and Gentoo, have also released patches. Red Hat and Ubuntu have classified the security hole as having “medium” severity.

Related Reading: Grsecurity Limits Availability of Stable Linux Kernel Patches

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.