Wednesday, July 29th 2020
New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader
Even if you don't have more than one operating system installed, your PC has a boot-loader, a software component first executed by the system BIOS, which decides which operating system to boot with. This also lets users toggle between different run-levels or configurations of the same OS. The GRUB2 boot-loader is deployed across billions of computers, servers, and pretty much any device that uses a Unix-like operating system. Cybersecurity researchers with Oregon-based firm Eclypsium, discovered a critical vulnerability with GRUB2 that can compromise a device's operating system. They named the vulnerability BootHole. This is the same firm behind last year's discovery of the Screwed Drivers vulnerability. It affects any device that uses the GRUB2 boot-loader, including when combined with Secure Boot technology.
BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.
Source:
HotHardware
BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.
45 Comments on New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader
Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.
Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.
There's plenty of open source projects out there with tons of funding and dedicated developers, but companies tend to forget about "little" projects that run their entire goddamn infrastructure like OpenSSL and GRUB
Good thing it was discovered though, many attacks these days are built around chaining together several innocuous and/or hard to exploit flaws like this.
So YES, Windows is affected too. Maybe not as badly, but still.
But I can see how this will affect dual-boot installs: once you botch the UEFI, it stays botched.
And OpenSSL wasn't the only big-name project that damn near failed. Ever heard of OpenBSD? Yeah, back in January of 2014 they didn't even know if they were going to be able to keep the lights on and pay the electricity bill. It was only after a $100,000 bailout by none other than Microsoft that saved OpenBSD from oblivion. And I'm pretty damn sure that Microsoft didn't give the money over out of the goodness of their hearts. If you believe that, I've got some bottom land to sell you; just don't ask me what it's at the bottom of.
Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.
Just look at the forum software that powers this very forum, XenForo. It's written in PHP however it's $160 a year for the base package. If you add some addons, it's $345 a year. And it's not open source. Sure, there's phpBB and Simple Machines Forum but yeah right.
But you're right, aside from a few hundred projects, open source is totally a joke.
Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.
The problem that most open source projects have is that they have lot of "takers" but not a lot of "givers". If you like an open source program/project, you need to do what is right and by that, I mean donate to the project be it direct donations or if they have a merch store, buy something there. Buy a coffee cup or a t-shirt for God's sake! Every little bit helps.
Like it or not, open source projects live and die on their budgets (or should I say, lack of budgets). The unfortunate thing is that a majority of people are freakin' cheapskates. They don't donate, they don't pay, yet they're the first to start yelling when things go wrong.
Open source is usually just that: a bunch of people that want to give something away. For free.
I mean, what's worse, on OSS project that doesn't gather much interest and dies in a few months, or Bixby that has probably eaten billions by now and will never have anything to show for it?