-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
"BootHole" vulnerability, and several others, published in GRUB2 bootloader
30 July 2020
AusCERT Security Bulletin Summary
Operating System: Linux variants
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
CVE Names: CVE-2020-15707 CVE-2020-15706 CVE-2020-15705
CVE-2020-14311 CVE-2020-14310 CVE-2020-14309
CVE-2020-14308 CVE-2020-10713 CVE-2020-7205
The GRUB2 bootloader is affected by a major vulnerability
known as "BootHole", CVE-2020-10713, and several other less
notable vulnerabilities. It requires an attacker to already have
root access to a host to edit the GRUB2 'grub.cfg' configuration file.
If exploited, this allows bypass of the UEFI Secure Boot system,
which defends against malicious bootloaders,
including certain kinds of rootkits:
"One of the explicit design goals of Secure Boot is to
prevent unauthorized code, even running with administrator privileges,
from gaining additional privileges and pre-OS persistence by
disabling Secure Boot or otherwise modifying the boot chain." 
Fully fixing this problem will take time, as the patching process is complex.
However, mitigations are rolling out from vendors from today. 
An attacker can boot their own code (unsigned by the usual process)
which still passes signature verification during UEFI Secure Boot.
"The Boot Hole vulnerability discovered by Eclypsium can be used to
install persistent and stealthy bootkits or malicious bootloaders that
operate even when Secure Boot is enabled and functioning correctly.
This can ensure attacker code runs before the operating system and can
allow the attacker to control how the operating system is loaded, directly
patch the operating system, or even direct the bootloader to alternate
OS images. It gives the attacker virtually unlimited control over the
victim device. Malicious bootloaders have recently been observed in the
wild, and this vulnerability would make devices susceptible to these types
of threats." 
A malicious boot loader allows a kind of "super-admin"; it can
be used to subvert the kernel of the operating system/s hosted on the
attacker-controlled hardware, and hide things from the administrator/s
of those operating system/s. 
Eclypsium also state that this is a very widespread issue:
"In addition to Linux systems, any system that uses Secure Boot
with the standard Microsoft UEFI CA is vulnerable to this issue.
As a result, we believe that the majority of modern systems in use
today, including servers and workstations, laptops and desktops,
and a large number of Linux-based OT and IoT systems, are potentially
affected by these vulnerabilities." 
Microsoft are publishing their own mitigations, despite GRUB2 not
running on Windows, as the exploit could be used to boot a modified
(compromised) version of Windows while passing Secure Boot. 
AusCERT's evaluation is that this should be taken seriously
and patched as patches become available. However, to determine urgency,
each organisation must assess the use of GRUB2 in their environment,
as in general exploitation requires administrator access to the
operating system affected.
The following CVEs were found in addition to CVE-2020-10713, "BootHole",
as part of efforts to make the most of this high-effort patching cycle:
Watch for updates being released for your operating system from today.
Eclypsium summarises the full patching process thus:
"Full mitigation of this issue will require coordinated efforts from a variety of
entities: affected open-source projects, Microsoft, and the owners of affected
systems, among others. This will include:
* Updates to GRUB2 to address the vulnerability.
* Linux distributions and other vendors using GRUB2 will need to update their
installers, bootloaders, and shims.
* New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
* Administrators of affected devices will need to update installed versions of
operating systems in the field as well as installer images, including disaster
* Eventually the UEFI revocation list (dbx) needs to be updated in the
firmware of each affected system to prevent running this vulnerable code during
 Eclypsium: There's A Hole In The Boot
 We Live Security: UEFI malware: How to exploit a false sense of
 ADV200011 | Microsoft Guidance for Addressing Security Feature
Bypass in GRUB
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----