Boothole, a security boot vulnerability, was exposed, affecting almost all Linux and windows devices, and more than 1 billion devices were caught

Time:2021-10-27

Boothole, a security boot vulnerability, was exposed, affecting almost all Linux and windows devices, and more than 1 billion devices were caught

Technical editor: mango fruit from Sifu editorial department
SegmentFault has he reported the official account number: SegmentFault

How serious are the vulnerabilities affecting the safe startup function? It probably affects the boot loader used by almost all Linux systems and almost all windows devices that use safe boot

The vulnerability called “boothole” is this kind of security boot function vulnerability, which belongs to a high-level vulnerability in the security boot function of most laptops, desktops, workstations and servers. After obtaining the permission, you can do whatever you want in your system as if you were in a no man’s land.

What is boothole?

Cve-2020-10713, known as boothole, has a CVss rating of 8.2 and is located in the default GNU grub 2 (Grub2). Even if the operating system does not use Grub2, it will be affected.

If boothole is successfully utilized, boothole will open windows and Linux devices and execute code arbitrarily even when secure boot is enabled. According to eclypsium, this means that attackers can obtain persistence by secretly installing malware and give them “almost complete control” of the device.

In fact, in April this year, the industry found the threat of this vulnerability, and suppliers immediately began to share information and find solutions. Now, this vulnerability has been exposed. Like canonical, Microsoft, red hat, SUSE, Debian, Citrix, Oracle and VMware, they all announced suggestions and mitigation measures today. Some updates are available immediately, while others will continue.

More than 1 billion devices are at risk

As for how many devices may be threatened by boothole vulnerability, John lukedes, vice president of research and Development Department of eclypsium, said: “the default configuration can enable secure startup through the Microsoft UEFI certification authority, which has signed many vulnerable grub versions on almost all devices with windows logo certification since Windows 8.”

Since secure boot is the default setting for most systems sold since Windows 8, eclypsium points out that this means that “most laptops, desktops, servers, workstations and network devices are affected.” this figure can easily exceed 1 billion.

Joe McManus, security director of canonical, which released Ubuntu, said: “this is an interesting vulnerability. Thank eclypsium, canonical and other open source communities for updating Grub2 to resist cve-2020-10713.”

Joe McManus said, “in this process, we found seven other vulnerabilities in Grub2, which will also be fixed in the update released today.” to be sure, this is a good example of internal and external cooperation in the open source software community.

What is the threat to boothole?

UEFI security startup process and Grub2’s role are highly technical. Before running, every firmware and software will be checked, and anything unrecognized will not be executed.

It is very important to determine who can sign the code trusted by the secure boot database, and Microsoft’s third-party UEFI certification authority (CA) is the industry standard.

Open source projects and others use shim (a small application) to contain vendor certificates and code to validate and run Grub2 boot loader. Verify shim using Microsoft third-party UEFI CA before shim loads and validates Grub2 boot loader.

Boothole is a buffer overflow vulnerability involving how Grub2 parses configuration files, allowing attackers to execute arbitrary code and gain control of the operating system boot.

John lukades said: “Secure boot is designed to prevent bootkit attacks, which are usually used to persist, destroy or bypass other security measures. Recent extortion software activities have attacked bootloader on updated UEFI systems. Since secure boot will continue to operate normally, theoretically, this is also a good way to hide attacks for a long time, steal credentials or wait for the termination switch to be triggered.”

However, threat intelligence experts and Ian Thornton trump of cyjax CISO are not too worried. “I don’t want to press the emergency button completely on this issue. Weaponization must rely on a series of vulnerabilities, layered security failures, and attacks to obtain the operating system boot loader,” he said

Therefore, although in theory, this is indeed a very wide range of vulnerabilities, affecting almost all platforms, t hornton trump said: “the greater threat is that vulnerabilities take advantage of more accessible attack surfaces, such as process hijacking and DLL injection.”

A Microsoft spokesman said, “Microsoft is aware of a vulnerability in the grand unified boot loader (grub) commonly used in Linux and is trying to complete the verification and compatibility testing of the necessary windows update packages.”

It is understood that when the relevant windows update appears, the customer will be notified by revising the security consultation issued as part of today’s coordinated disclosure, and will include a mitigation option as an untested update installation.

Response of Linux vendors to boothole

“We are working closely with the Linux community and our industry partners to provide updates to affected red hat products, including Red Hat Enterprise Linux,” said Peter allor, red hat’s director of product security

“Debian is working with other members of the Linux community to prepare updates to address this vulnerability. Security is very important to us, our users and our community,” said a Debian spokesman

SUSE spokesman said: “we know the Linux vulnerability named boothole shared by eclypsium today. Our customers and partners can rest assured that we have released the fixed Grub2 package, which has closed the boothole vulnerability of all SUSE Linux products, and are releasing corresponding updates to the Linux kernel package, cloud image and installation media.”

Therefore, in summary, vendors will update their installers, boot loaders and filler Grub2 patches for Linux distributions and other vendors to address this vulnerability.

The new certificate needs to be signed by Microsoft’s third-party UEFI ca. the administrator of the affected device will need to update the operating system version and installer image installed on site, including disaster recovery media. The UEFI revocation list in the firmware of each affected system eventually needs to be updated to prevent it from being utilized during startup.

What is the domestic impact?

In response to this problem, community users expressed some opinions:

@Loco: this vulnerability is exploited by writing malicious programs to the boot list / partition with administrator privileges, and then the malicious programs can follow the system boot and get higher privileges. Then, anyone with a secure boot function can be attacked, windows or Linux. It may or may not have a great impact on China. There may be rogue software with exploit code. If a white user doesn’t understand it, he will be caught if he gives permission. Generally speaking, as long as permission is not given, most malware can’t do much. This vulnerability itself needs permission to be exploited unless it can bypass permission. Although it is a great threat if it takes effect, there is no problem with rational use.

@Zhang Jintao: the direct impact should not be too great. Windows doesn’t know, but the grub.cfg configuration file of Linux itself needs root permission to access it. For the provided server, the premise of exploiting this vulnerability is that the machine has basically been attacked; However, if the installation package / software installation package of the system is provided, it may be dangerous.

@Edagarli: it has little impact on China. Almost no one uses secureboot in China, and there have been no problems.

Boothole, a security boot vulnerability, was exposed, affecting almost all Linux and windows devices, and more than 1 billion devices were caught

Recommended Today

SQL exercise 20 – Modeling & Reporting

This blog is used to review and sort out the common topic modeling architecture, analysis oriented architecture and integration topic reports in data warehouse. I have uploaded these reports to GitHub. If you are interested, you can have a lookAddress:https://github.com/nino-laiqiu/TiTanI recorded a relatively complete development process in my hexo blog deployed on GitHub. You can […]