30 Jul 2020

Blogs

There's a hole in the boot

Introduction

Responsible disclosure from Eclypsium has enabled the patches to the GRand Unified Boot Loader (GRUB) to be coordinated on the night of the 29th July 2020.

Impact

Modifications to the GRUB configuration file can result in the the execution of arbitrary code which can also allow UEFI Secure Boot restrictions to be bypassed.  Subsequently it is then possible to load further arbitrary executable code as well as drivers.

To be able to exploit this vulnerability you first must have administrator or physical access to the target machine. 

System affected

The vulnerability affects Microsoft as well as Linux based distributions as it affect UEFI Secure Boot DBX, along with GRUB2.

A non-exhaustive list of operating systems affected has been compiled by Eclypsium being:

  • Microsoft
  • UEFI Security Response Team (USRT)
  • Oracle
  • Red Hat (Fedora and RHEL)
  • Canonical (Ubuntu)
  • SuSE (SLES and openSUSE)
  • Debian
  • Citrix
  • VMware
  • Various OEMs
  • … and others …

Mitigation

It is recommended that an organisation undertakes their own risk assessment, addressing the severity of the impact of administrative/root control with the need for the attacker to already have administrator or physical access to the target. 

Microsoft notes that it is possible to detect this vulnerability using either Key Attestation or Defender ATP

Eclypsium has outlined steps to mitigate this vulnerability as follows:

  1. Updates to GRUB2 to address the vulnerability.
  2. Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims.
  3. New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
  4. Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media.
  5. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.

Advisories

AUSCERT has issued out an AUSCERT Security Bulletins (ASB) [ASB-2020.135] and will be issuing out External Security Bulletins (ESB) as they come to hand.

Below are excerpts of the Product Security Incident Response Teams (PSIRT) advisory that describe in brief the Impact and vectors of these vulnerabilities.

Microsoft

Tag

Description

ADV200011

To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.

 

Linux Distribution

Tag

Description

CVE-2020-10713

Crafted grub.cfg file can lead to arbitrary code execution during boot process

CVE-2020-14308

grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow.
6.4 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-14309

Integer overflow in grub_squash_read_symlink may lead to heap based overflow.
5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2020-14310

Integer overflow in read_section_from_string may lead to heap based overflow.
5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2020-14311

Integer overflow in grub_ext2_read_link leads to heap based buffer overflow.
5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2020-15705

Failure to validate kernel signature when booted without shim
6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-15706

Use-after-free in grub_script_function_create
6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-15707

Integer overflows in efilinux grub_cmd_initrd and grub_initrd_init leads to heap based buffer overflow
5.7 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

 

Sources

Media reports

Further information

PSIRT Information