Security Experts:

Red Hat's BootHole Patches Cause Systems to Hang

Red Hat has told customers not to install the package updates released in response to the recently disclosed BootHole vulnerability after users reported that their systems hung after applying the updates.

Firmware security company Eclypsium revealed this week that billions of PCs, workstations, servers and other devices running Windows and Linux are affected by a GRUB2 bootloader vulnerability that can be exploited by a local attacker with admin privileges to execute malicious code when the system boots up.

The flaw, officially identified as CVE-2020-10713, impacts systems that use Secure Boot, and fully patching it involves replacing vulnerable bootloaders and updating the Secure Boot revocation list (DBX) to ensure that the old bootloaders can no longer be executed.BootHole

Patching will require collaboration between hardware and software vendors and impacted companies have started working on updates. Linux distributions have already released updated packages.

Red Hat, which assigned the flaw a moderate severity rating, says BootHole affects Enterprise Linux 7 and 8, Atomic Host, and the OpenShift Container Platform 4. The company initially advised users to update their grub2, kernel, fwupdate, fwupd, shim and dbxtool packages.

However, shortly after the packages were released, users started reporting that their systems failed to boot after applying the updates. A support ticket in Red Hat’s bug tracker says the “system hangs after POST and the grub menu never loads.”

Red Hat has now updated its initial advisory, telling customers that it strongly recommends against applying the grub2, fwupd, fwupdate or shim updates until new packages are available.

Red Hat has released instructions for how users who have already installed the buggy updates can restore their system. The company says it has identified the cause of the problem and is working on a fix.

Red Hat Enterprise Linux 7.8 and 8.2 are confirmed to be affected, but versions 7.9 and 8.1 EUS could also be impacted.

Several organizations have posted advisories in response to the BootHole vulnerability, including CERTs, the UEFI Forum, Microsoft, Linux distributions, VMware, Oracle and HP.

Related: Devices Still Vulnerable to DMA Attacks Despite Protections

Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Related: Password Bypass Flaw Found in GRUB2 Linux Bootloader

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.