• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Cybersecurity researchers revealed a new vulnerability that can affect devices in billions globally.

    It may take in its wake devices, including servers, workstations, desktops, laptops, IoT systems, and more operating on Windows and Linux systems.

    The researchers say that BootHole is a kind of buffer vulnerability capable of affecting all GRUB2 versions. It survives in a similar way it has parsed content out of a configuration file. This process is differently signed by other executables and files.

    Consequently, it breeds the ground for cybercriminals to disrupt the hardware trust mechanism root.

    Due to buffer overflow, the attackers can execute arbitrary codes inside the UEFI environment. Next, they could run malware, patch the operating system kernel directly, alter booting, or execute other malicious activities.

    The security concern is of high risk, and it is dubbed as ‘BootHole’ or CVE-2020-10713. It resides presently in the bootloader – GRUB2. If cybercriminals manage to exploit it, it could allow them to bypass the feature called Secure Boot. In addition, the attackers could also gain sneaky and continued access to the target systems.

    Secure Boot is one of the features of the Unified Extensible Firmware Interface (UEFI). People use it to load certain critical peripherals, operating systems, and components while making sure only cryptographically-signed codes execute while booting.

    According to the Eclypsium researchers’ report, Secure Boot is designed to restrict unauthorized codes from accessing pre-OS persistence and other privileges. For this, it modifies the boot chain or disables the Secure Boot.

    On Windows, attackers can exploit the BootHole by replacing the already installed default bootloaders with a weak GRUB2 version and then install their rootkit malware.

    After-effects of the BootHole vulnerability

    BootHole vulnerability could cause major troubles because of the fact that it allows the attackers to execute their malicious codes before the OS boots. Hence, it becomes tough for security systems to detect malware or eliminate them.

    The other reason why BootHole can easily bug systems is that the execution environment of UEFI lacks Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), or other technologies for exploit prevention.

    Patches and updates are not enough to fix the problem

    Eclypsium experts recently contacted computer manufacturers and OS vendors to help mitigate the issue. It turns out; the solution is not that easy.

    Installing patches and updating GRUN2 bootloaders are not enough to fix the problem. The reason is attackers can replace the existing bootloader of the device with a weaker version.

    The experts say that the mitigation will need newly deployed and signed bootloaders. In addition, the affected bootloaders would need to be retracted.

    Microsoft acknowledges the issue and informs that they are working on compatibility testing and validation of a Windows update, which can address this vulnerability. Furthermore, it recommends the users to update security patches as and when they are available in upcoming weeks.

    Moreover, some Linux distributions also follow suit and have released advisories related to the flaw, upcoming patches, and possible mitigation.

    Read the full post here.