• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

GRUB2 Boot Hole Breaks Secure Boot For Now

July 31, 2020 By Trevor Collins

On Wednesday of this week, Eclypsium released a report on a vulnerability in GRUB2 that affects millions of devices with few exceptions. Normally used on a Linux system, GRUB2 accepts control from the UEFI secure boot process and starts bootup programs as well as the computers OS if it has one. This level of control over the system before the OS boots allows GRUB2 and anyone with access to it to completely control the OS. Malware can also install GRUB2 on systems that don’t already have it, making the system vulnerable. Normally a Microsoft certificate authority must sign any changes to GRUB. The vulnerability found here can bypass the signing prosses.

The vulnerability itself consists of a buffer overflow when parsing the grub.cfg configuration file. This file normally includes different bootup processes like safe mode and recovery. The parsing program for the grub.cfg files fails to properly exit during an error and will continue to parse the file causing a buffer overflow.

For malware to exploit this vulnerability it must already have access to the grub.cfg file. Meaning they likely have root or administrative access but not quite the same level as access to the bootup process. The malware could also persist even with a clean OS install. Additionally, for example, if the computer dual-booted with a Linux and Windows OS I suspect the malware could jump from the Linux OS to the Windows OS through the bootup process without any user interaction. WatchGuard devices don’t allow any unsigned code so are not vulnerable.

Microsoft could revoke the certificate for the vulnerable GRUB2 program, but this would brick all computers that use that version since they would then have no way to boot until updated while also being unable to update. Manufactures pushing updates to their systems may have problems as well. As you might suspect, any update to this critical level of the system bootup could brick the device.

Since malware must have root or administrative privileges to exploit this vulnerability, protecting your computer from malware will prevent this exploit. There isn’t much the average user can do at this point besides keep an eye for suspicious activity. Microsoft will push an updated revocation list after the updates to GRUB2 come out. For the more technical, one could update GRUB2, if installed, and manually install Microsoft’s new revocation list. This difficult process can easily break the computer, so I won’t post how to do that here but savvy administrators can easily search for instructions elsewhere.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN
  • Hacker Summer Camp 2022

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Hacker Summer Camp 2022
  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use