A new high-risk vulnerability is affecting billions of devices worldwide—including servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution or Windows system. Dubbed ‘BootHole‘ and tracked as CVE-2020-10713, the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could potentially let attackers bypass the Secure Boot feature and gain high-privileged persistent and stealthy access to the targeted systems. Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) that uses a bootloader to load critical components, peripherals, and the operating system while ensuring that only cryptographically signed code executes during the boot process. BootHole is a buffer overflow vulnerability that affects all versions of GRUB2 and exists in the way it parses content from the config file, which typically is not signed like other files and executables—leaving an opportunity for attackers to break the hardware root of trust mechanism.
To be noted, the grub.cfg file is located in the EFI system partition, and thus, to modify the file, an attacker still needs an initial foothold on the targeted system with admin privileges that would eventually provide the attacker with an additional escalation of privilege and persistence on the device. Though GRUB2 is the standard bootloader used by most Linux systems, it supports other operating systems, kernels, and hypervisors like XEN as well. The attack allows hackers to execute malicious code even before the operating system boots, making it difficult for security software to detect the presence of malware or remove it.
Just installing patches with updated GRUB2 bootloader would not resolve the issue, because attackers can still replace the device’s existing bootloader with the vulnerable version.
Microsoft is working on a required Windows Update that addresses this vulnerability.
Apply security patches as soon as they are rolled out in the coming weeks.
Other vendors have also addressed the issue in the following list of advisories: