-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2020.0135
"BootHole" vulnerability, and several others, published in GRUB2 bootloader
                               30 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          GRUB2
Operating System: Linux variants
                  Windows
Impact/Access:    Root Compromise                 -- Existing Account
                  Execute Arbitrary Code/Commands -- Existing Account
                  Increased Privileges            -- Existing Account
                  Modify Arbitrary Files          -- Existing Account
                  Denial of Service               -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2020-15707 CVE-2020-15706 CVE-2020-15705
                  CVE-2020-14311 CVE-2020-14310 CVE-2020-14309
                  CVE-2020-14308 CVE-2020-10713 CVE-2020-7205

OVERVIEW

        The GRUB2 bootloader is affected by a major vulnerability
        known as "BootHole", CVE-2020-10713, and several other less
        notable vulnerabilities. It requires an attacker to already have
        root access to a host to edit the GRUB2 'grub.cfg' configuration file.
        
        If exploited, this allows bypass of the UEFI Secure Boot system,
        which defends against malicious bootloaders,
        including certain kinds of rootkits:
        "One of the explicit design goals of Secure Boot is to
        prevent unauthorized code, even running with administrator privileges,
        from gaining additional privileges and pre-OS persistence by
        disabling Secure Boot or otherwise modifying the boot chain." [1]
        
        Fully fixing this problem will take time, as the patching process is complex.
        However, mitigations are rolling out from vendors from today. [1]


IMPACT

        An attacker can boot their own code (unsigned by the usual process)
        which still passes signature verification during UEFI Secure Boot.
        
        Eclypsium states:
        
        "The Boot Hole vulnerability discovered by Eclypsium can be used to
        install persistent and stealthy bootkits or malicious bootloaders that
        operate even when Secure Boot is enabled and functioning correctly.
        This can ensure attacker code runs before the operating system and can
        allow the attacker to control how the operating system is loaded, directly
        patch the operating system, or even direct the bootloader to alternate
        OS images. It gives the attacker virtually unlimited control over the
        victim device. Malicious bootloaders have recently been observed in the
        wild, and this vulnerability would make devices susceptible to these types
        of threats." [1]
        
        A malicious boot loader allows a kind of "super-admin"; it can
        be used to subvert the kernel of the operating system/s hosted on the
        attacker-controlled hardware, and hide things from the administrator/s
        of those operating system/s. [2]
        
        Eclypsium also state that this is a very widespread issue:
        
        "In addition to Linux systems, any system that uses Secure Boot
        with the standard Microsoft UEFI CA is vulnerable to this issue.
        As a result, we believe that the majority of modern systems in use
        today, including servers and workstations, laptops and desktops,
        and a large number of Linux-based OT and IoT systems, are potentially
        affected by these vulnerabilities." [1]
        
        Microsoft are publishing their own mitigations, despite GRUB2 not
        running on Windows, as the exploit could be used to boot a modified
        (compromised) version of Windows while passing Secure Boot. [3]
        
        AusCERT's evaluation is that this should be taken seriously
        and patched as patches become available. However, to determine urgency,
        each organisation must assess the use of GRUB2 in their environment,
        as in general exploitation requires administrator access to the
        operating system affected.
        
        The following CVEs were found in addition to CVE-2020-10713, "BootHole",
        as part of efforts to make the most of this high-effort patching cycle:
        
        CVE-2020-7205
        CVE-2020-14308
        CVE-2020-14309
        CVE-2020-14310
        CVE-2020-14311
        CVE-2020-15705
        CVE-2020-15706
        CVE-2020-15707
        [1] [3]


MITIGATION

        Watch for updates being released for your operating system from today.
        
        Eclypsium summarises the full patching process thus:
        "Full mitigation of this issue will require coordinated efforts from a variety of
        entities: affected open-source projects, Microsoft, and the owners of affected
        systems, among others. This will include:
        
            * Updates to GRUB2 to address the vulnerability.
            * Linux distributions and other vendors using GRUB2 will need to update their
            installers, bootloaders, and shims.
            * New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
            * Administrators of affected devices will need to update installed versions of
            operating systems in the field as well as installer images, including disaster
            recovery media.
            * Eventually the UEFI revocation list (dbx) needs to be updated in the
            firmware of each affected system to prevent running this vulnerable code during
            boot." [1]


REFERENCES

        [1] Eclypsium: There's A Hole In The Boot
            https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

        [2] We Live Security: UEFI malware: How to exploit a false sense of
            security
            https://www.welivesecurity.com/2017/10/19/malware-firmware-exploit-sense-security/

        [3] ADV200011 | Microsoft Guidance for Addressing Security Feature
            Bypass in GRUB
            https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200011

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyIjT+NLKJtyKPYoAQhoZRAAk479sbbs/dZSHaBVi6/29Ho3x3689uH8
QVDHZhv5CecGslqlvBZ5t2h0MT43+nChVNsVdfQX3Mfq672u5wmhdd/w8vYWyMzK
ds+H/I8ZTyCXThjCLysSqZB84VGsbTM+bNKB9t7CiUb8x1tGsW8JCsOlI9sv0B6j
X/SSFrpBYv3y6z07dWDnrZyX2ExyixajksZFWGXfLitEIFbKdOCex4U7DIQ5GFW8
Oz+sUJseY64SY1LQNBEIz3HXNJ31JA9Bi4syTordgaG1w6RBdPpzUnzMuKgiknOx
dymoMcn2FHV7Nasu3rxOjK0G8tZpVr4jQK73KpeTPrzsNrvu0MMMNRMWGAE5mxc2
eYImjfdvf4gjK2T05SThXPT6F1cTCQgyE9oJyJf/DBFKgNqlZW318tQaGJPbLzYZ
aIqdfEHAWX+7+KehgH8R+PoG+A8Vgl1Yc6QWNuzqemLd30/uyTYIgripQegrxaT7
Pa+edCMjbjCGwdWusb6F7AxcKsGP0fZserC2/D8TzEgdsBOruaiehKWaHQY5F4bs
tZw3//vr/24+46S9IBVBjlXhoYANgciZEaXuJSQPslrIWVOHOpuOESvDC1EExvgO
Y/W4TPQDIHYDeavtBumpI3Ca+Mta7IzKN1k+2eeaUVfYJ+U0/PrfIaUlqKgZRKU3
u0Wk5yk6rf8=
=7IO3
-----END PGP SIGNATURE-----