A newly discovered vulnerability dubbed ‘Boothole’ compromises the foundation of device security for “virtually all Linux distributions” and some Microsoft’s Windows devices that employ “Secure Boot” feature, according to a new report.
Researchers at security firm Eclypsium warn that the vulnerability in firmware known as GRUB2 impacts equipment used in the industrial, healthcare, and financial sectors. Attackers who exploit it can gain arbitrary code execution during the boot process, even on devices that have enabled the Secure Boot features.
Race to the bottom of the code stack
According to an analysis made public on Wednesday, a buffer overflow vulnerability in the GRUB2 firmware has the potential to allow malicious actors to insert malicious code onto vulnerable systems. Attackers exploiting the vulnerability could install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device, Eclypsium warned.
GRUB2, which stands for GRand Unified Bootloader version 2, is a ubiquitous component of Linux and Windows systems. It replaces the earlier GRUB. Bootloaders are the first software program that runs when a computer starts up. They load the operating system kernel software which then loads the rest of the operating system.
Mickey Shkatov and Jesse Michael, principal researchers at Eclypsium say this vulnerability reflects a trend developing in recent years of hackers “moving down the stack.” The logic is simple, the further down the code stack a vulnerability the more control it gives attackers and the more potential damage can be done. The new vulnerability is notable because GRUB2 “control[s] what’s loading the operating system,” Michael told Security Ledger.
The proliferation of Linux on both traditional computers and embedded devices on the “Internet of Things” means that Boothole is “everywhere,” according to Eclypsium researchers. “Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” the company notes in its report. GRUB2 is also used to support other operating systems, kernels and hypervisors such as Xen. “The majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries,” Eclypsium said.
The scope of the devices it impacts, compounded by the extent of the vulnerability itself is troublesome.
Mending the Boothole
Fixing such a widespread issue in such a low-level component takes time and serious coordination, the researchers said. GRUB2 will need to be updated to fix the vulnerability. Following that, vendors using GRUB2 will need to update their installers, bootloaders and shims, Eclypsium said. Updated shims will need to be signed by the Microsoft 3rd party UEFI certificate authority and then administrators responsible for affected devices will need to update operating systems, installer images and disaster recovery media. Finally, the UEFI revocation list will need to be updated to prevent devices from running the vulnerable GRUB2 code during boot.
Because errors in bootloader patches can lead to devices being rendered inoperable (or “bricked”), there will need to be extensive testing of every GRUB2 patch on each device carrying the firmware. That will slow response time considerably.
Eclypsium is working with more than 16 organizations to align their responses to Boothole, including Microsoft. That company released a Boothole patch for manual updates through Microsoft with a signed revocation file. However, Linux systems will have to wait a bit longer. An installer package featuring a patch for Linux systems won’t be coming until 2021 at least, Eclypsium said.
The lengthy process of revocation and year-long timeline of patching Boothole across systems leaves time for cyber criminals to dig in and exploit the weakness. Tools such as UEFI (Unified Extensible Firmware Interface) which are meant to increase security, should be improved to increase their agility and resilience to new vulnerabilities, Eclypsium recommends.
Cyber attackers have become adept at exploiting low level components such as bootloaders and UEFI. In September 2018, the firm ESET published a paper on Lojax, a UEFI rootkit that is believed to have been created and used by the Russian advanced persistent threat (APT) group known as “Fancy Bear” or “Sednit.”