Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0135 "BootHole" vulnerability, and several others, published in GRUB2 bootloader 30 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GRUB2 Operating System: Linux variants Windows Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Modify Arbitrary Files -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-15707 CVE-2020-15706 CVE-2020-15705 CVE-2020-14311 CVE-2020-14310 CVE-2020-14309 CVE-2020-14308 CVE-2020-10713 CVE-2020-7205 OVERVIEW The GRUB2 bootloader is affected by a major vulnerability known as "BootHole", CVE-2020-10713, and several other less notable vulnerabilities. It requires an attacker to already have root access to a host to edit the GRUB2 'grub.cfg' configuration file. If exploited, this allows bypass of the UEFI Secure Boot system, which defends against malicious bootloaders, including certain kinds of rootkits: "One of the explicit design goals of Secure Boot is to prevent unauthorized code, even running with administrator privileges, from gaining additional privileges and pre-OS persistence by disabling Secure Boot or otherwise modifying the boot chain." [1] Fully fixing this problem will take time, as the patching process is complex. However, mitigations are rolling out from vendors from today. [1] IMPACT An attacker can boot their own code (unsigned by the usual process) which still passes signature verification during UEFI Secure Boot. Eclypsium states: "The Boot Hole vulnerability discovered by Eclypsium can be used to install persistent and stealthy bootkits or malicious bootloaders that operate even when Secure Boot is enabled and functioning correctly. This can ensure attacker code runs before the operating system and can allow the attacker to control how the operating system is loaded, directly patch the operating system, or even direct the bootloader to alternate OS images. It gives the attacker virtually unlimited control over the victim device. Malicious bootloaders have recently been observed in the wild, and this vulnerability would make devices susceptible to these types of threats." [1] A malicious boot loader allows a kind of "super-admin"; it can be used to subvert the kernel of the operating system/s hosted on the attacker-controlled hardware, and hide things from the administrator/s of those operating system/s. [2] Eclypsium also state that this is a very widespread issue: "In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue. As a result, we believe that the majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities." [1] Microsoft are publishing their own mitigations, despite GRUB2 not running on Windows, as the exploit could be used to boot a modified (compromised) version of Windows while passing Secure Boot. [3] AusCERT's evaluation is that this should be taken seriously and patched as patches become available. However, to determine urgency, each organisation must assess the use of GRUB2 in their environment, as in general exploitation requires administrator access to the operating system affected. The following CVEs were found in addition to CVE-2020-10713, "BootHole", as part of efforts to make the most of this high-effort patching cycle: CVE-2020-7205 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707 [1] [3] MITIGATION Watch for updates being released for your operating system from today. Eclypsium summarises the full patching process thus: "Full mitigation of this issue will require coordinated efforts from a variety of entities: affected open-source projects, Microsoft, and the owners of affected systems, among others. This will include: * Updates to GRUB2 to address the vulnerability. * Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims. * New shims will need to be signed by the Microsoft 3rd Party UEFI CA. * Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media. * Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot." [1] REFERENCES [1] Eclypsium: There's A Hole In The Boot https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ [2] We Live Security: UEFI malware: How to exploit a false sense of security https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/ [3] ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200011 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXyIjT+NLKJtyKPYoAQhoZRAAk479sbbs/dZSHaBVi6/29Ho3x3689uH8 QVDHZhv5CecGslqlvBZ5t2h0MT43+nChVNsVdfQX3Mfq672u5wmhdd/w8vYWyMzK ds+H/I8ZTyCXThjCLysSqZB84VGsbTM+bNKB9t7CiUb8x1tGsW8JCsOlI9sv0B6j X/SSFrpBYv3y6z07dWDnrZyX2ExyixajksZFWGXfLitEIFbKdOCex4U7DIQ5GFW8 Oz+sUJseY64SY1LQNBEIz3HXNJ31JA9Bi4syTordgaG1w6RBdPpzUnzMuKgiknOx dymoMcn2FHV7Nasu3rxOjK0G8tZpVr4jQK73KpeTPrzsNrvu0MMMNRMWGAE5mxc2 eYImjfdvf4gjK2T05SThXPT6F1cTCQgyE9oJyJf/DBFKgNqlZW318tQaGJPbLzYZ aIqdfEHAWX+7+KehgH8R+PoG+A8Vgl1Yc6QWNuzqemLd30/uyTYIgripQegrxaT7 Pa+edCMjbjCGwdWusb6F7AxcKsGP0fZserC2/D8TzEgdsBOruaiehKWaHQY5F4bs tZw3//vr/24+46S9IBVBjlXhoYANgciZEaXuJSQPslrIWVOHOpuOESvDC1EExvgO Y/W4TPQDIHYDeavtBumpI3Ca+Mta7IzKN1k+2eeaUVfYJ+U0/PrfIaUlqKgZRKU3 u0Wk5yk6rf8= =7IO3 -----END PGP SIGNATURE-----