There's a hole in the boot

//Blogs - 30 Jul 2020

There's a hole in the boot

Introduction

Responsible disclosure from Eclypsium has enabled the patches to the GRand Unified Boot Loader (GRUB) to be coordinated on the night of the 29th July 2020.

Impact

Modifications to the GRUB configuration file can result in the the execution of arbitrary code which can also allow UEFI Secure Boot restrictions to be bypassed. Subsequently it is then possible to load further arbitrary executable code as well as drivers.

To be able to exploit this vulnerability you first must have administrator or physical access to the target machine.

System affected

The vulnerability affects Microsoft as well as Linux based distributions as it affect UEFI Secure Boot DBX, along with GRUB2.

A non-exhaustive list of operating systems affected has been compiled by Eclypsium being:

Microsoft
UEFI Security Response Team (USRT)
Oracle
Red Hat (Fedora and RHEL)
Canonical (Ubuntu)
SuSE (SLES and openSUSE)
Debian
Citrix
VMware
Various OEMs
… and others …

Mitigation

It is recommended that an organisation undertakes their own risk assessment, addressing the severity of the impact of administrative/root control with the need for the attacker to already have administrator or physical access to the target.

Microsoft notes that it is possible to detect this vulnerability using either Key Attestation or Defender ATP

Eclypsium has outlined steps to mitigate this vulnerability as follows:

Updates to GRUB2 to address the vulnerability.
Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims.
New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media.
Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.

Advisories

AusCERT has issued out an AusCERT Security Bulletins (ASB) [ASB-2020.135] and will be issuing out External Security Bulletins (ESB) as they come to hand.

Below are excerpts of the Product Security Incident Response Teams (PSIRT) advisory that describe in brief the Impact and vectors of these vulnerabilities.

Microsoft

Tag	Description
ADV200011	To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.

Tag

Description

ADV200011

To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.

Linux Distribution

Tag	Description
CVE-2020-10713	Crafted grub.cfg file can lead to arbitrary code execution during boot process
CVE-2020-14308	grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow. 6.4 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-14309	Integer overflow in grub_squash_read_symlink may lead to heap based overflow. 5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-14310	Integer overflow in read_section_from_string may lead to heap based overflow. 5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-14311	Integer overflow in grub_ext2_read_link leads to heap based buffer overflow. 5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-15705	Failure to validate kernel signature when booted without shim 6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-15706	Use-after-free in grub_script_function_create 6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-15707	Integer overflows in efilinux grub_cmd_initrd and grub_initrd_init leads to heap based buffer overflow 5.7 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

Sources

Media reports

Further information

Key Attestation : https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation
Defender ATP: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection
UEFI Forum: https://uefi.org/revocationlistfile
Canonical : https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

PSIRT Information

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
Canonical: https://ubuntu.com/security/notices/USN-4432-1
Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot
HPE: www.hpe.com/info/security-alerts
Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader
SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
VMware: https://kb.vmware.com/s/article/80181

More Blogs

//Blogs - 12 Feb 2024

Publications

There's a hole in the boot