Operating System Vendors Rushing Out Patches
Illustration shows how “BootHole” flaw can affect multiple operating systems. (Source: Eclypsium)
A vulnerability that can impede the boot-loading process of an operating system could potentially affect billions of Linux and Windows machines as well as a host of other connected devices, according to a report from security firm Eclypsium.
The flaw, which Eclypsium researchers are calling “BootHole,” has the potential to allow an attacker to gain near total control of an infected device, according to the report.
The vulnerability, which is now being tracked as CVE-2020-10713, is present in GRUB2, a boot loading system in Linux devices. If exploited, the vulnerability enables malware to run, subverts the security processes in the operating system and takes control of the victim device, the report says.
On Friday, several Linux operating system vendors started rolling out patches to address the vulnerability. This includes fixes for Red Hat, Ubuntu, CentOS, Mint and Debian. But Kevin Beaumont, a researcher with Microsoft, claims that many of the fixes are causing problems of their own.
Wide Potential Impact
In addition to Linux devices, the researchers note the vulnerability is also present in any device that uses GRUB2 along with Secure Boot, a feature used to prevent any malware attacks during the boot process.
As a result, Eclypsium estimates at least 75% of devices running Linux or Windows operating systems are susceptible to BootHole.
“The majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special-purpose equipment used in industrial, healthcare, financial and other industries,” according to the report.
The vulnerability apparently has not yet been exploited, Eclypsium says, noting that it has coordinated its vulnerability disclosure with the impacted operating system vendors and other stakeholders. The company, however, notes that the patch process is likely to be time-consuming because of the scale and complexity of the vulnerability.
“Like many problems in the firmware attack surface, the impact extends far beyond the specifics of a particular vulnerability,” Alex Bazhaniuk, CTO of Eclypsium says. “Many Linux and Windows-based systems, even those not currently running the vulnerable GRUB2, are affected; furthermore, the challenges of firmware update deployment complicate standard mitigation procedures.”
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency issued its own alert about the BootHole vulnerability and asked users to apply a patch or attempt other mitigation steps to ensure attackers don’t exploit the bug.
“Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack,” according to the Eclypsium report. “This will likely be a long process and take considerable time for organizations to complete patching.”
Exploiting GRUB2 With BootHole
BootHole is a buffer overflow vulnerability that occurs when GRUB2 parses certain key configuration files, according to the Eclypsium report. An attacker can exploit this buffer overflow to gain arbitrary code execution to install bootkit – malware that targets a device’s motherboard so that it can be executed before the operating system is loaded, the researchers note.
Once the operating system has been infected with bootkit, the malware can alter the boot process, directly patch the operating system kernel or execute a number of other malicious actions, the report says.
Eclypsium researchers warn that certain advanced persistent threats groups – such as APT41, which operates from China, and NotPetya, which is suspected of having ties to Russia – that are known to use malicious bootkits to infect its victims might consider creating exploits for BootHole.
Targeting Secure Boot
Because Secure Boot uses a number of codes to run its processes, researchers note that a vulnerability in any of these could allow attackers to bypass the application. The attackers could then use malware to replace the infected device’s existing bootloader with a vulnerable version, the report says.
Because this application has been designed to prevent running unauthorized code and to limit administrator privileges, the researchers note that an attacker could use the compromised Secure Boot to escalate privileges for further exploitation of the GRUB2 flaw.
“As with any technical process, Secure Boot is not without its potential problems,” the report notes. “Attackers can also use a vulnerable bootloader against the system. The bootloader would be allowed by Secure Boot and give the malware complete control over the system and OS.”