Security Experts:

Connect with us

Hi, what are you looking for?



Password Bypass Flaw Found in GRUB2 Linux Bootloader

The GRUB2 bootloader is plagued by a serious vulnerability that can be exploited to bypass password protection and compromise the targeted computer.

The GRUB2 bootloader is plagued by a serious vulnerability that can be exploited to bypass password protection and compromise the targeted computer.

Bootloaders are designed to allow users to select which operating system they want to boot when multiple OSs are installed. GNU GRUB (GRand Unified Bootloader) is a free and open source bootloader package developed by the GNU Project. It’s used by the GNU operating system and most Linux distributions.

Hector Marco and Ismael Ripoll of the Polytechnic University of Valencia disclosed the zero-day vulnerability last week at a security conference in Spain. The issue, a buffer overflow that has been assigned the CVE-2015-8370 identifier, affects GRUB2 versions 1.98 (released in December 2009) through 2.02 (released in December 2015)

“The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer,” Marco and Ripoll explained in a blog post published this week.

According to the researchers, users can check if their systems are affected by pressing the backspace key 28 times at the authentication phase. If the computer reboots or a rescue shell is loaded, the GRUB bootloader is vulnerable.

Successful exploitation of this vulnerability results in a GRUB rescue shell, which allows the attacker to authenticate on the system without knowing the username and password. A local attacker can also gain access to information, install a rootkit, or destroy data stored on the disk.

The researchers have described a scenario in which an advanced persistent threat (APT) actor or malicious insiders exploit the vulnerability to plant a piece of malware that can be used to spy on the victim or steal sensitive information, even if it’s encrypted.

However, Marco and Ripoll have pointed out that the attack method they’ve described doesn’t work for all systems. Successful exploitation depends of various factors, including BIOS and GRUB versions and amount of RAM, and a specific exploit needs to be built for each targeted system.

A patch has been published to the main GRUB 2 repository. Linux distributions, including Red Hat, Ubuntu and Gentoo, have also released patches. Red Hat and Ubuntu have classified the security hole as having “medium” severity.

Related Reading: Grsecurity Limits Availability of Stable Linux Kernel Patches

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.