A flaw in the GRUB2 bootloader allows hackers to bypass Secure Boot on billions of systems
Billions of computers that are currently in use rely on a feature called Secure Boot to ensure malware has one less way of penetrating your computer. However, a new flaw discovered in one of the most widely used bootloaders can render that protection useless and will be a nightmare to fix.
Last month, researchers at antivirus company ESET discovered a new type of ransomware had been circulating in the wild, locking out users from accessing important data on their computers. The silver lining was that if you had a UEFI feature called Secure Boot turned on, that would prevent the malicious code from being loaded during system startup.
Microsoft introduced Secure Boot with Windows 8 as a new mechanism that would ensure the integrity of all code that is being run until the operating system is initialized and takes over. These pieces of code need to be signed with a root key by Microsoft under the Third Party UEFI Certificate Authority, which is a great way to improve the overall security of your PC.
However, researchers from security firm Eclypsium found a way that Secure Boot can be compromised in its current implementation. Specifically, they discovered that GRUB2 — which is a program used in pretty much all computers running Linux distributions — has a vulnerability that can make it possible for malware to be slipped into the boot process.
The flaw dubbed “BootHole,” is essentially a buffer overflow issue that stems from the way the GRUB2 boot loader reads the content of the main configuration file found in the EFI system partition. All an attacker needs to do in order to install a rootkit malware is load a modified version of GRUB2 with long strings of text in the grub.cfg file, which isn’t digitally signed and thus doesn’t get flagged during Secure Boot.
This exploit works because of a special relationship between GRUB2 and Secure Boot that allows makers of Linux distributions to use something called a “shim” bootloader. This was done for practical reasons so that the maintainers of these Linux distributions can update GRUB2 binaries and sign them with their own certificates instead of having to go through Microsoft to do.
As for Microsoft, the company acknowledged the issue in a security advisory, as did other affected parties such as HP, VMware, Debian, Canonical, Red Hat, and SUSE. The Eclypsium researchers noted that only one vendor performs a signature check on the main GRUB2 configuration file, meaning there are potentially billions of systems affected by BootHole.
Mitigating the issue will be particularly hard, as this will be a multi-stage process that starts with patching GRUB2. Then makers of Linux distributions need to update their installers, bootloaders, disaster recovery images, and shims. Then those shims will need to be signed by the Microsoft Third Party UEFI Certificate Authority, while the old ones need to be revoked in firmware on all affected systems. This has led to boot failures in the past, as manufacturers have different implementations of this process.