NSA warns of GRUB2 BootHole vulnerability

On July 30, the National Security Agency released a Cybersecurity Advisory (CSA) on a vulnerability (CVE-2020-10713) known as BootHole that poses a risk to a majority of Linux distributions and systems running on Windows 8 or later versions. That includes those on National Security Systems, Department of Defense (DoD) systems, as well as the Defense Industrial Base (DIB). First disclosed by Eclypsium on Wednesday, the vulnerability affects the Grand Unified Bootloader (GRUB2) widely used to boot Linux-based operating systems.

The vulnerability enables bypass of Secure Boot — used to control which software can boot on a device through signature validation — to gain arbitrary code execution and compromise the integrity of the boot process even when Secure Boot is enabled. It could be used to install persistent and stealthy bootkits that operate even when Secure Boot is enabled and functioning correctly. Due to an issue in parsing GRUB configuration files, an attacker can execute arbitrary code to bypass signature verification.

While Windows does not use GRUB, the fact that Unified Extensible Firmware Interface (UEFI)-based computers ‘trust’ the vulnerable version of GRUB makes it possible for a Windows boot process to be compromised by this vulnerability. Impact may include but is not limited to public/private cloud instances, data center servers, end-user desktops/laptops, and Linux-based Operational Technology/Internet of Things devices.

In “Mitigate the GRUB2 BootHole Vulnerability,” NSA provides administrators with two mitigation options. The standard mitigation, which involves updating an endpoint’s boot components and revoking the trust of existing vulnerable boot components, will mitigate the vulnerability in consumer, business and enterprise environments.

NSA plans to release a Cybersecurity Technical Report on “UEFI Secure Boot Customization” soon that will provide comprehensive guidance on how to tackle the advanced mitigation offered in the Cybersecurity Advisory. The advanced mitigation is best suited for endpoints that have higher security and integrity requirements.

Source: NSA