On Wednesday of this week, Eclypsium released a report on a vulnerability in GRUB2 that affects millions of devices with few exceptions. Normally used on a Linux system, GRUB2 accepts control from the UEFI secure boot process and starts bootup programs as well as the computers OS if it has one. This level of control over the system before the OS boots allows GRUB2 and anyone with access to it to completely control the OS. Malware can also install GRUB2 on systems that don’t already have it, making the system vulnerable. Normally a Microsoft certificate authority must sign any changes to GRUB. The vulnerability found here can bypass the signing prosses.
The vulnerability itself consists of a buffer overflow when parsing the grub.cfg configuration file. This file normally includes different bootup processes like safe mode and recovery. The parsing program for the grub.cfg files fails to properly exit during an error and will continue to parse the file causing a buffer overflow.
For malware to exploit this vulnerability it must already have access to the grub.cfg file. Meaning they likely have root or administrative access but not quite the same level as access to the bootup process. The malware could also persist even with a clean OS install. Additionally, for example, if the computer dual-booted with a Linux and Windows OS I suspect the malware could jump from the Linux OS to the Windows OS through the bootup process without any user interaction. WatchGuard devices don’t allow any unsigned code so are not vulnerable.
Microsoft could revoke the certificate for the vulnerable GRUB2 program, but this would brick all computers that use that version since they would then have no way to boot until updated while also being unable to update. Manufactures pushing updates to their systems may have problems as well. As you might suspect, any update to this critical level of the system bootup could brick the device.
Since malware must have root or administrative privileges to exploit this vulnerability, protecting your computer from malware will prevent this exploit. There isn’t much the average user can do at this point besides keep an eye for suspicious activity. Microsoft will push an updated revocation list after the updates to GRUB2 come out. For the more technical, one could update GRUB2, if installed, and manually install Microsoft’s new revocation list. This difficult process can easily break the computer, so I won’t post how to do that here but savvy administrators can easily search for instructions elsewhere.
Leave a Reply