A flaw in the GRUB2 bootloader allows hackers to bypass Secure Boot on billions of systems

nanoguy

Posts: 522   +7
Staff member
Why it matters: Billions of computers that are currently in use rely on a feature called Secure Boot to ensure malware has one less way of penetrating your computer. However, a new flaw discovered in one of the most widely used bootloaders can render that protection useless and will be a nightmare to fix.

Last month, researchers at antivirus company ESET discovered a new type of ransomware had been circulating in the wild, locking out users from accessing important data on their computers. The silver lining was that if you had a UEFI feature called Secure Boot turned on, that would prevent the malicious code from being loaded during system startup.

Microsoft introduced Secure Boot with Windows 8 as a new mechanism that would ensure the integrity of all code that is being run until the operating system is initialized and takes over. These pieces of code need to be signed with a root key by Microsoft under the Third Party UEFI Certificate Authority, which is a great way to improve the overall security of your PC.

However, researchers from security firm Eclypsium found a way that Secure Boot can be compromised in its current implementation. Specifically, they discovered that GRUB2 -- which is a program used in pretty much all computers running Linux distributions -- has a vulnerability that can make it possible for malware to be slipped into the boot process.

The flaw dubbed "BootHole," is essentially a buffer overflow issue that stems from the way the GRUB2 boot loader reads the content of the main configuration file found in the EFI system partition. All an attacker needs to do in order to install a rootkit malware is load a modified version of GRUB2 with long strings of text in the grub.cfg file, which isn't digitally signed and thus doesn't get flagged during Secure Boot.

This exploit works because of a special relationship between GRUB2 and Secure Boot that allows makers of Linux distributions to use something called a "shim" bootloader. This was done for practical reasons so that the maintainers of these Linux distributions can update GRUB2 binaries and sign them with their own certificates instead of having to go through Microsoft to do.

As for Microsoft, the company acknowledged the issue in a security advisory, as did other affected parties such as HP, VMware, Debian, Canonical, Red Hat, and SUSE. The Eclypsium researchers noted that only one vendor performs a signature check on the main GRUB2 configuration file, meaning there are potentially billions of systems affected by BootHole.

Mitigating the issue will be particularly hard, as this will be a multi-stage process that starts with patching GRUB2. Then makers of Linux distributions need to update their installers, bootloaders, disaster recovery images, and shims. Then those shims will need to be signed by the Microsoft Third Party UEFI Certificate Authority, while the old ones need to be revoked in firmware on all affected systems. This has led to boot failures in the past, as manufacturers have different implementations of this process.

Permalink to story.

 

trparky

Posts: 767   +699
Once again, the "millions of eyes" theory behind open source has failed. It failed with OpenSSL, it failed with GRUB, and it'll fail again with another open source project in the future.

You see, the problem that so many open source people fail to realize is that in order for people to actually look at the code, you're going to have to pay them. Something about that annoying thing called food and that their grumbling stomachs tend to call for it.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

If you want an eye-opening look at the farce that is open source, read the stuff presented at here, here, here, and here.
 
Last edited:

zamroni111

Posts: 32   +14
Once again, the "millions of eyes" theory behind open source has failed. It failed with OpenSSL, it failed with GRUB, and it'll fail again with another open source project in the future.

You see, the problem that so many open source people fail to realize is that in order for people to actually look at the code, you're going to have to pay them. Something about that annoying thing called food and that their grumbling stomachs tend to call for it.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

If you want an eye-opening look at the farce that is open source, read the stuff presented at here, here, here, and here.
Ssl heart bleed patch was released way ahead of the outbreak, but as usual, most administrators didn't install it.

To install the patch, administrators indeed need to retest all applications after then.

It's why Microsoft's once per month patch release helps reduce the retesting burden.
Linux doesn't have that scheduling.
Even kernel patches usually come every 2 weeks.
By the time diligent administrators install the patches, hackers may have created hacking tool based on the patch's bug info. Then the non diligent admins, which are the majority, will become victims of hackers.
 

Evernessince

Posts: 5,184   +5,514
Once again, the "millions of eyes" theory behind open source has failed. It failed with OpenSSL, it failed with GRUB, and it'll fail again with another open source project in the future.

You see, the problem that so many open source people fail to realize is that in order for people to actually look at the code, you're going to have to pay them. Something about that annoying thing called food and that their grumbling stomachs tend to call for it.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

If you want an eye-opening look at the farce that is open source, read the stuff presented at here, here, here, and here.
How's paying people to look through the code working out for Microsoft? How about Bethesda?

I've used a lot of proprietary software and a lot of Open Source software. I can say for a fact I've had much more issues with proprietary software.

In any case, to take a few bugs and equate that to all open source software being a failure is completely ridiculous. Many open source projects get funding just fine. It turns out that some humans are capable of donating money without actually having to or receiving anything in return other then the thought they are pushing development of the product they use. Who would have thought that capitalism isn't the only thing that drives the world.
 
Last edited:

brucek

Posts: 422   +483
Open source may not be perfect but I wouldn't want to be the person trying to prove that proprietary closed-source is necessarily better.

And when it comes to operating systems, I don't think you'd have to look too far to find people who feel that say Windows 10 is insecure by design and unfixable by the end user as far as the liberties it takes with their data and their experience.
 

Thanthan

Posts: 26   +50
Once again, the "millions of eyes" theory behind open source has failed. It failed with OpenSSL, it failed with GRUB, and it'll fail again with another open source project in the future.

You see, the problem that so many open source people fail to realize is that in order for people to actually look at the code, you're going to have to pay them. Something about that annoying thing called food and that their grumbling stomachs tend to call for it.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

If you want an eye-opening look at the farce that is open source, read the stuff presented at here, here, here, and here.
Ehhh. Cause closed systems like say... Intels chip designs always fare so much better? You a little biased m8?
I still remember the x86 flaw that allowed a hacker to get the system to tell the user All of the ring 0 command words that were meant for the NSA.
 

BSim500

Posts: 684   +1,405
You see, the problem that so many open source people fail to realize is that in order for people to actually look at the code, you're going to have to pay them. Something about that annoying thing called food and that their grumbling stomachs tend to call for it.
The biggest difference between open vs closed source is that you actually have the option to pay an independent company to do a code audit for the former but for the latter can often do little more than copy-paste from the marketing brochures and hope nothing goes wrong on your watch. The fact that a lot of people don't do this is more a symptom of the general apathy attitude towards security than anything specific to open-source. Most smart people understand it's not an "either / or" choice and ideally would involve both source code being open and independently audited.

And if you're complaining about "security issues go unfixed for +17 years because open-source" problems, then being closed source and having huge financial backing hardly stops recent incidents like this:-


Sounds like we could do with Windows 10 codebase being "opened up" and independently audited too, eh?
 

fadingfool

Posts: 165   +165
"All an attacker needs to do in order to install a rootkit malware is load a modified version of GRUB2 with long strings of text in the grub.cfg file"

You need access to the grub.cfg file on the system. So the system would need to be compromised before an attacker can access the grub config file (they are going to need admin rights) .
 
  • Like
Reactions: waterytowers

mbrowne5061

Posts: 1,523   +846
Correct me if I am wrong, but this sounds like it only affects systems that are dual-booting a linux and windows OS?
 

GreenNova343

Posts: 436   +327
"All an attacker needs to do in order to install a rootkit malware is load a modified version of GRUB2 with long strings of text in the grub.cfg file"

You need access to the grub.cfg file on the system. So the system would need to be compromised before an attacker can access the grub config file (they are going to need admin rights) .
Which can happen if you download an "updated" version & install it yourself. Or if your distro relied on a 3rd-party for the shim in the distro, again in which case it would be installed as soon as you installed it yourself.
 

trparky

Posts: 767   +699
I'm not saying that closed source programs are any better, Windows is definitely an example of closed source being full of issues. However, I don't think anyone can deny that the biggest issue with open source is that as that stuff I linked to indicated, most people are "takers" and not "givers".

If you like an open source program, you need to do what is right and by that, I mean donate to the project be it direct donations or if they have a merch store, buy something there. Buy a coffee cup or a t-shirt for God's sake! Every little bit helps.

Like it or not, open source projects live and die on their budgets (or should I say, lack of budgets).

The unfortunate thing is that a majority of people are freakin' cheapskates. They don't donate, they don't pay, yet they're the first to start yelling when things go wrong. Case in point, OpenSSL. Everyone uses it, yet nobody donates.
 
Last edited:
  • Like
Reactions: Zor Ven
And one can be pro-capitalism and pro-open source. Capitalism works great, but it needs real competition. And you need a healthy balance between government and business. If you let either get too powerful you get trouble. Nobody and nothing can be above the law. In a free society, which is still most of the world, we cannot allow anything to be "too big to fail".

And there needs to be a balance between proprietary and open. We would be better off if the monopolies/oligopolies/big players allowed the option of more freedom of choice, as well as open transparency. As has been (well) stated by others above, open source provides the opportunity for transparency. Nothing is perfect, but we need open source.
 
If you like an open source program, you need to do what is right and by that, I mean donate to the project be it direct donations or if they have a merch store, buy something there. Like it or not, open source projects live and die on their budgets (or should I say, lack of budgets).
...
Case in point, OpenSSL. Everyone uses it, yet nobody donates.
I'm not sure you know what goes on in regards to open source projects. Sure, random people in the world who use OpenSSL don't donate, but companies who have a lot more money than random people, do donate, money and time, to the projects. By the $ millions if not $ billions.

For your example of OpenSSL, just take a look here: https://www.openssl.org/community/thanks.html

The following organizations who contribute staff time to work on the project (alphabetically): Akamai, Cryptsoft, Google, Oracle, Red Hat, and Softing.
You think any staff at these places get paid by donation from random people? No, they get paid $100k-$400k salary a year per person to do this work. Even if its just one person per company, that's $600K a year minimum of effort from people contributing to this project. Maybe not 100% of the time, but no project has time spent 100% every day of the year.

These are just a few companies who examine the code, and who TRUST the code, and put it to work saving all of our butts in effort and worry every day. Today there have been 10 commits to the master code of OpenSSL as of this moment. This is more than most code ever gets looked at and modified after being tested extensively for any closed source project.
 

trparky

Posts: 767   +699
What you're describing is basically what amounts to a one-off kind of thing. What many projects need is a team of dedicated people working as one cohesive group sitting together as a team that does nothing but looks after that code and nothing else. Just because it's open source doesn't mean that you can't have a dedicated team, it just means that you have the core team and everyone else that contributes stuff.

Let's look at Linux for instance, there's Linus Torvalds. He's the heart of the project, the gatekeeper, the MC, the big man, etc. Nothing gets contributed to the Linux kernel source tree without his approval. He (or at least a team of people he hand-picked) approves each and every commit that gets submitted.

I'd go so far as to say that the Linux kernel project is open source done right. It has proper funding not only to pay for servers, people, and other various things that the project needs. Not all open source projects are like this and they're the ones that tend to die.
 

trparky

Posts: 767   +699
Let look at Mozilla, that's another example of open source done right. There's a cohesive group of leaders right down to the project leads themselves. Hell, they even have their own building that has offices in it where the core developers sit and maintain the code.

Just because it's open source doesn't mean that you can't have that kind of corporate structure. I'd go so far as to say that Mozilla is the perfect blend of corporate-like thinking blended with the ideals of open source.
 
  • Like
Reactions: beardrinksbeer

jobeard

Posts: 13,896   +1,763
read the stuff presented at here,
Interesting that you cite the Cathederal and the Bizzar as it does not make your case that we are all mercenaries! It does make the case for large teams of well trained programmers with the skill and motivation to perform the line-by-line reading and analysis however.
 

trparky

Posts: 767   +699
Ever look at Mozilla?
Oh yeah, Mozilla is probably the most famous of all the open source projects. That and Chromium and of course the Linux kernel itself. Projects at that scale need large sums of cash to keep the project going.
 

jobeard

Posts: 13,896   +1,763
Oh yeah, Mozilla is probably the most famous of all the open source projects. That and Chromium and of course the Linux kernel itself. Projects at that scale need large sums of cash to keep the project going.
Back to the Cathederal and the Bizzar; they need many eyeballs
 

fadingfool

Posts: 165   +165
Which can happen if you download an "updated" version & install it yourself. Or if your distro relied on a 3rd-party for the shim in the distro, again in which case it would be installed as soon as you installed it yourself.
You would need to install it as root. How often do you download a version of Grub bootloader separate from the distro itself? I never have and the day before yesterday was the first time I have seen an update to Grub2 (the patched version was pushed to my Mint 20 install before I saw the news). There is a better write up of the issue over at El Reg - whilst it isn't good that the flaw exists, on the machines I use linux on are too old for secure boot anyway (too old for win 10 hence linux).