The GRUB2 bootloader is plagued by a serious vulnerability that can be exploited to bypass password protection and compromise the targeted computer.
Bootloaders are designed to allow users to select which operating system they want to boot when multiple OSs are installed. GNU GRUB (GRand Unified Bootloader) is a free and open source bootloader package developed by the GNU Project. It’s used by the GNU operating system and most Linux distributions.
Hector Marco and Ismael Ripoll of the Polytechnic University of Valencia disclosed the zero-day vulnerability last week at a security conference in Spain. The issue, a buffer overflow that has been assigned the CVE-2015-8370 identifier, affects GRUB2 versions 1.98 (released in December 2009) through 2.02 (released in December 2015)
“The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer,” Marco and Ripoll explained in a blog post published this week.
According to the researchers, users can check if their systems are affected by pressing the backspace key 28 times at the authentication phase. If the computer reboots or a rescue shell is loaded, the GRUB bootloader is vulnerable.
Successful exploitation of this vulnerability results in a GRUB rescue shell, which allows the attacker to authenticate on the system without knowing the username and password. A local attacker can also gain access to information, install a rootkit, or destroy data stored on the disk.
The researchers have described a scenario in which an advanced persistent threat (APT) actor or malicious insiders exploit the vulnerability to plant a piece of malware that can be used to spy on the victim or steal sensitive information, even if it’s encrypted.
However, Marco and Ripoll have pointed out that the attack method they’ve described doesn’t work for all systems. Successful exploitation depends of various factors, including BIOS and GRUB versions and amount of RAM, and a specific exploit needs to be built for each targeted system.
A patch has been published to the main GRUB 2 repository. Linux distributions, including Red Hat, Ubuntu and Gentoo, have also released patches. Red Hat and Ubuntu have classified the security hole as having “medium” severity.
Related Reading: Grsecurity Limits Availability of Stable Linux Kernel Patches