The GRUB2 bootloader is plagued by a serious vulnerability that can be exploited to bypass password protection and compromise the targeted computer.
Bootloaders are designed to allow users to select which operating system they want to boot when multiple OSs are installed. GNU GRUB (GRand Unified Bootloader) is a free and open source bootloader package developed by the GNU Project. It’s used by the GNU operating system and most Linux distributions.
Hector Marco and Ismael Ripoll of the Polytechnic University of Valencia disclosed the zero-day vulnerability last week at a security conference in Spain. The issue, a buffer overflow that has been assigned the CVE-2015-8370 identifier, affects GRUB2 versions 1.98 (released in December 2009) through 2.02 (released in December 2015)
“The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer,” Marco and Ripoll explained in a blog post published this week.
According to the researchers, users can check if their systems are affected by pressing the backspace key 28 times at the authentication phase. If the computer reboots or a rescue shell is loaded, the GRUB bootloader is vulnerable.
Successful exploitation of this vulnerability results in a GRUB rescue shell, which allows the attacker to authenticate on the system without knowing the username and password. A local attacker can also gain access to information, install a rootkit, or destroy data stored on the disk.
The researchers have described a scenario in which an advanced persistent threat (APT) actor or malicious insiders exploit the vulnerability to plant a piece of malware that can be used to spy on the victim or steal sensitive information, even if it’s encrypted.
However, Marco and Ripoll have pointed out that the attack method they’ve described doesn’t work for all systems. Successful exploitation depends of various factors, including BIOS and GRUB versions and amount of RAM, and a specific exploit needs to be built for each targeted system.
A patch has been published to the main GRUB 2 repository. Linux distributions, including Red Hat, Ubuntu and Gentoo, have also released patches. Red Hat and Ubuntu have classified the security hole as having “medium” severity.
Related Reading: Grsecurity Limits Availability of Stable Linux Kernel Patches
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
