Researchers have come across a vulnerability that affects almost all devices with the Linux operating system. The bug in the popular GRUB2 bootloader allows code to be executed during the boot process.
The vulnerability was discovered earlier this year by security researchers at Eclypsium. BootHole, as the bug is called, is a vulnerability in GRUB2. It is the most widely used bootloader for Linux distributions at the moment. GRUB2 is sometimes also used to load Windows-based systems.
The vulnerability allows cybercriminals to take control of the boot-loading process before the operating system is booted. The boot process uses boot-loaders that are responsible for loading computer firmware on which the operating system is running. This way, cybercriminals can access PCs, laptops, workstations and servers. It is necessary to have physical access to these systems to use this vulnerability.
How does BootHole work?
According to researchers at Eclypsium, the vulnerability is caused by the way the configuration file of GRUB2, grub.cfg, is processed.
Secure Boot, Microsoft’s anti-rootkit tool, usually verifies the digital signature of files loaded by the firmware when an operating system is booted. The grub.cfg file does not have a digital signature and consequently is not verified by Secure Boot. By modifying this file, someone can cause a buffer overflow within GRUB2 which allows the attacker to modify any boot code.
The attacker can now easily load drivers and other executable files without being detected by Secure Boot. It is also possible to install a rootkit to gain full access to the system.
The company suspects that every Linux distribution is affected by BootHole. Administrators and users are encouraged to update GRUB2. Microsoft is already working on a vulnerability patch, and Red Hat already released a patch for Red Hat Enterprise Linux.