New BootHole Vulnerability Affects Billions of Devices
The BootHole vulnerability impacts billions of Windows and Linux devices due to a serious bug within the GRUB2 bootloader.
BootHole Vulnerability Severely Impacts Billions of Devices
Billions of Windows and Linux devices across the globe are vulnerable due to a serious bug within the GRUB2 bootloader, researchers at Eclypsium revealed on Wednesday.
The vulnerability, dubbed BootHole (CVE-2020-10713), has a CVSS score of 8.2 and Eclypsium has stated that it indeed affects ALL operating systems that use GRUB2 (Grand Unified Bootloader version 2) with Secure Boot. Secure Boot is an industry standard that ensures that a device boots using only trusted software. It’s a process where the device uses cryptographic checks to make sure the boot process loads only securely signed firmware components. Additionally, this not only affects just Windows and Linux, but potentially macOS and BSD-based systems as well.
“The vulnerability is in the GRUB2 bootloader utilized by most Linux systems,” the researchers stated. “The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.” “The GRUB2 config file is a text file and typically is not signed like other files and executables,” researchers stated on Wednesday. This means that Secure Boot doesn’t necessary check it and in turn allows an attacker to modify the contents of the GRUB2 config file to include malicious code. This is also extremely dangerous since the file is loaded well before the operating system is, so the attack code runs first. “In this way, attackers gain persistence on the device.”
How BootHole Vulnerability Affects Windows and Linux Users
The illustration below shows a very simplified explanation of the BootHole attack, where attackers can exploit the code from one or more options to execute malicious commands within the GRUB2 component.
How to Stop BootHole Attacks
“Mitigation is complex and can be risky and will require the specific vulnerable program to be signed and deployed, and vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack,” the researchers noted. “The three-stage mitigation process will likely take years for organizations to complete patching.”
Although it doesn’t appear to be an easy fix at this time, Eclypsium did provide 5 recommendations to the industry:
Right away, start monitoring the contents of the bootloader partition (EFI system partition). This will buy time for the rest of the process and help identify affected systems in your environment. For those who have deployed the Eclypsium solution, you can see this monitoring under the “MBR/Bootloader” component of a device.
Continue to install OS updates as usual across desktops, laptops, servers, and appliances. Attackers can leverage privilege escalation flaws in the OS and applications to take advantage of this vulnerability so preventing them from gaining administrative level access to your systems is critical. Systems are still vulnerable after this, but it is a necessary first step. Once the revocation update is installed later, the old bootloader should stop working. This includes rescue disks, installers, enterprise gold images, virtual machines, or other bootable media.
Test the revocation list update. Be sure to specifically test the same firmware versions and models that are used in the field. It may help to update to the latest firmware first in order to reduce the number of test cases.
To close this vulnerability, you need to deploy the revocation update. Make sure that all bootable media has received OS updates first, roll it out slowly to only a small number of devices at a time, and incorporate lessons learned from testing as part of this process.
Engage with your third-party vendors to validate they are aware of, and are addressing, this issue. They should provide you a response as to its applicability to the services/solutions they provide you as well as their plans for remediation of this high rated vulnerability.
The researchers concluded, “While Secure Boot is easily taken for granted by most users, it is the foundation of security within most devices. Once compromised, attackers can gain virtually complete control over the device, its operating system, and its applications and data.”
Protect Your Organization
Even though no accessible patches are available at this time, the recommendation is clear to install all operating system and application updates across all vulnerable devices. Tuearis Cyber, through our Managed Endpoint Defense Program, can easily resolve outstanding updates across the environment for Windows, Linux, and Mac devices, ensuring that subsequent vulnerabilities are first addressed.
Today is the day to start securing your organization so you can REST SECURED.