+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Boothole vulnerability explained

Boothole is a pervasive vulnerability that affects the GRUB2 boot loader that is used by most versions of Linux.  By exploiting this vulnerability, attackers can run arbitrary code on almost any PC or Server and install RootKits or similar Malware that will persist reboots and be very difficult to detect.

BootHole was first reported by security researchers at Eclypsium.

How Secure Boot works

UEFI Secure Boot is the standard for PC and Servers as the means to secure the operating system boot environment.  Each piece of code that is executed during the boot process has its cryptographic signature checked against an ‘allowed’ and a ‘disallowed’ database. Since there is a huge and increasing number of components and drivers used during the boot process across the plethora of systems the databases do not contain a list of components but rather a list of keys.  If a software component has been signed by a key found in the allow database then the component will be executed; and if the signing key is found in the disallow database the component will not be loaded.

Instead of every OEM having to manage their own keys and certificates for every possible firmware, driver or OS provider, the industry has settled on using the Third Party UEFI Certificate Authority provided by Microsoft.  In short, vendors submit their code to Microsoft who validate and sign it using their universally trusted key. This includes Linux distros as well, not just Windows code.

Due to incompatibilities between licenses, open source projects (ie Linux distros among others) build a small application known as a ‘shim’ and the Secure Boot system loads the shim and the shim loads the Linux bootloader.  The shim is verified against the Microsoft certificate and then the shim loads the GRUB2 and validates its certificate itself.

The Boothole Vulnerability

The GRUB2 boot loader uses a configuration file which identifies the components it will load and execute and the GRUB2 process itself is allowed by Secure Boot.   The Boot Hole vulnerability is a buffer overflow (CVE-2020-10713) in the parser for the GRUB2 configuration file which can be used to trigger arbitrary code execution within the context of the GRUB2 process.  The GRUB2 configuration file is a simple text file which is not signed or otherwise protected except by file system controls – meaning it can be compromised through an escalation of privilege attack.

The code flaw in GRUB2 is actually an error in the design of the error handler for fatal errors – the buffer overflow being one such fatal error.  Examination of the GRUB2 source revealed that the fatal error handler actually does no more than log a console message and then return the calling module; however the calling modules are clearly coded with the assumption that a call to the fatal error handler will never return.  So when any fatal error is raised, it is logged and then execution continues with the next statement.

How to mitigate Boot Hole

At the time of writing, in August 2020, there are numerous reports that the fixes released by several Linux distros to mitigate the Boothole vulnerability are causing systems to fail to reboot.

To resolve the vulnerability fully, GRUB2 needs to be updated to address the vulnerability and then each Linux distro will need to update their installers, bootloaders and shims after getting the shim signed by the Microsoft Third Party UEFI CA.

Once all the updated components have been installed in the field, the UEFI disallow database will need to updated to prevent the vulnerable versions of the code being used in the future.

In the meantime, System Administrators can consider taking the following steps:

  • Monitor the EFI system partition to detect unexpected changes, especially to the GRUB2 configuration file grub.cfg.
  • Continue to install OS updates to protect against the escalation of privilege attacks needed to alter the EFI partition
  • Thoroughly test the revocation list updates and new GRUB2 version on each different device model before widespread deployment
  • Update rescue media and Disaster Recovery backups as any bootable components will not work after the disallow database us updated in the EFI firmware.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top