Compromising the boot process can allow an attacker to subvert all higher-layer security controls related to the operating system. In July 2020, Eclypsium researchers discovered a buffer overflow vulnerability, dubbed BootHole, in the Grand Unified Bootloader version 2 (GRUB2), utilized by most Linux systems and dual-boot systems with Windows.
More about BootHole vulnerability
The vulnerability, with a 8.2/10 CVSS score, exists in a core component of the UEFI Secure Boot process that can be used to gain arbitrary code execution during the boot process.
- The vulnerability exists because of the way GRUB2 parses content from its configuration file, “grub.cfg,” located externally, in the EFI System partition.
- The vulnerability can be used to tamper with the bootloader, or even replace it with a malicious version, allowing an attacker to insert and execute malicious code during the boot-loading process. It works even when servers or workstations have Secure Boot enabled.
- This way attackers can also plant malicious code or highly persistent malware (bootkit) that has full control of the OS, launched at a later point.
A majority of modern systems, including laptops and desktops, servers and workstations, and a large number of Linux-based OT and IoT systems, are potentially affected by the vulnerability.
- Any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable.
- Vendors including Microsoft, Canonical, UEFI Security Response Team (USRT), Red Hat, SuSE, Oracle, VMWare, HP, Citrix, and other OEMs are expected to release BootHole patches soon.
Recent Bootloader vulnerabilities
- In July 2020, three vulnerabilities (CVE-2020-11623, CVE-2020-11624, and CVE-2020-11625) were found in AvertX IP cameras, which enabled attackers with physical access to the Universal Asynchronous Receiver-Transmitter (UART) interface to tamper its bootloader.
- In November 2019, multiple vulnerabilities (CVE-2019-13103, CVE-2019-13104, CVE-2019-13105, and CVE-2019-13106) were found in Das U-Boot, a universal bootloader, which exposed Amazon Kindle, ARM Chromebooks, and networking hardware open to code execution attacks.
Security experts suggest keeping the devices and firmware updated with the latest patchesto prevent such threats like BootHole.