Wednesday, July 29th 2020

New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader

by
btarunr
 Discuss (45 Comments)
Even if you don't have more than one operating system installed, your PC has a boot-loader, a software component first executed by the system BIOS, which decides which operating system to boot with. This also lets users toggle between different run-levels or configurations of the same OS. The GRUB2 boot-loader is deployed across billions of computers, servers, and pretty much any device that uses a Unix-like operating system. Cybersecurity researchers with Oregon-based firm Eclypsium, discovered a critical vulnerability with GRUB2 that can compromise a device's operating system. They named the vulnerability BootHole. This is the same firm behind last year's discovery of the Screwed Drivers vulnerability. It affects any device that uses the GRUB2 boot-loader, including when combined with Secure Boot technology.

BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.
Source: HotHardware

Related News

Add your own comment

45 Comments on New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader

#26
trparky
bugOpen source is usually just that: a bunch of people that want to give something away. For free.
But that's not a viable business plan, that's not going to put food on your table. Gas in your car's tank. A roof over your head. I really could go on and on really. Is it a sad reality? Yes! But that's how the world works and until we change the very basics of how the world works and we embrace something that's similar in nature to what's presented in Star Trek where it's just a happy utopia where you can paint if you want to because you can just get your food from a hole in the wall (I'm referencing the food replicator here), it's just not going to work.
Posted on Reply
#27
bug
trparkyBut that's not a viable business plan, that's not going to put food on your table. Gas in your car's tank. A roof over your head. I really could go on and on really. Is it a sad reality? Yes! But that's how the world works and until we change the very basics of how the world works and we embrace something that's similar in nature to what's presented in Star Trek where it's just a happy utopia, it's just not going to work.
It's a very viable business plan if I can add an open source project that's actually useful to my resume. It will put food on my table.

Open source is first about people. For some reason you keep talking about like a bean counter. Not that it's a bad thing, but it's a really, really narrow understanding of what open source is.
Posted on Reply
#28
trparky
bugFor some reason you keep talking about like a bean counter.
No, I think economically because in the end all humans need food. Don't get me wrong, open source is a laudable goal but until we, as a species, achieve a non-scarcity based economic system because literally everything is free because you can just walk up to your food replicator and ask it for a steak dinner and have it appear out of nowhere, I just don't see how it'll work.
Posted on Reply
#29
bug
trparkyNo, I think economically because in the end all humans need food. Don't get me wrong, open source is a laudable goal but until we, as a species, achieve a non-scarcity based economic system because literally everything is free because you can just walk up to your food replicator and ask it for a steak dinner and have it appear out of nowhere, I just don't see how it'll work.
Well, if you don't see how it will work, you've got a problem. Because it works already.
Posted on Reply
#30
trparky
bugWell, if you don't see how it will work, you've got a problem. Because it works already.
The way I see it is the typical starving artist. Sure, your painting is nice but if no one buys it and thus giving you money, you're going not going to be able to eat let alone make another painting. Do you see where I'm coming from?
bugBecause it works already.
Tell that to the graveyard that is GitHub. I've explored GitHub, thousands of projects that never got off the ground. The code is there but often it's so buggy or undocumented that I'd have better luck picking it apart for the scraps and building my own solution. I've done it, I've built my own programs from scraps that I found on GitHub only to have to fix it so much that I just ended up rewriting the whole damn thing.
Posted on Reply
#31
bug
trparkyThe way I see it is the typical starving artist. Sure, your painting is nice but if no one buys it and thus giving you money, you're going not going to be able to eat let alone make another painting. Do you see where I'm coming from?
Yes, you don't know what you're talking about, you think open source is an all or nothing approach.

It's not. It's something people are doing in their spare time (you're interrupting me from my Android project right now), it's something that is both written and studied in universities, it's something you at your job if you're paid to. It can even be something you do in your spare time because it helps you at your job.

And if you want to make a living off open source, you do that by charging for support. Or by extending your open source project with non-open functionality.
trparkyThe way I see it is the typical starving artist. Sure, your painting is nice but if no one buys it and thus giving you money, you're going not going to be able to eat let alone make another painting. Do you see where I'm coming from?

Tell that to the graveyard that is GitHub. I've explored GitHub, thousands of projects that never got off the ground. The code is there but often it's so buggy or undocumented that I'd have better luck picking it apart for the scraps and building my own solution. I've done it, I've built my own programs from scraps that I found on GitHub only to have to fix it so much that I just ended up rewriting the whole damn thing.
Please, not that idiocy again. I've already told you in this industry 80% of the project fail anyway.
Posted on Reply
#32
trparky
bugOr by extending your open source project with non-open functionality.
If we go by the GPL, you can't do that; any and all changes you make must be submitted back to the community from which it came from. There's a reason why there's the BSD license, it doesn't have that licensing restriction. Is it any wonder why Apple chose OpenBSD to build MacOSX from? Yeah...
Posted on Reply
#33
bug
trparkyIf we go by the GPL, you can't do that; any and all changes you make must be submitted back to the community from which it came from. There's a reason why there's the BSD license, it doesn't have that licensing restriction. Is it any wonder why Apple chose OpenBSD to build MacOSX from? Yeah...
Red herrings... You're starting to see you were wrong, right?
Posted on Reply
#34
trparky
Are you referring to the idea that GPL ≠ Open Source and Open Source ≠ GPL?
Posted on Reply
#35
bug
trparkyAre you referring to the idea that GPL ≠ Open Source and Open Source ≠ GPL?
No, I mean I didn't say you can extend all open source code and you went ahead and picked on a particular case anyway. Answering to questions/problems that were never asked, it's a classic means of derailing a discussion ;)
Posted on Reply
#36
moproblems99
trparkyNo, I think economically because in the end all humans need food. Don't get me wrong, open source is a laudable goal but until we, as a species, achieve a non-scarcity based economic system because literally everything is free because you can just walk up to your food replicator and ask it for a steak dinner and have it appear out of nowhere, I just don't see how it'll work.
You're looking at it as if OSS is all someone does. Many open source projects are people's spare time projects for the love of doing it. They usually already have jobs. Or college kids. Or any other reason. They aren't doing it to put food on the table (unless for a resume).
Posted on Reply
#37
trparky
moproblems99You're looking at it as if OSS is all someone does. Many open source projects are people's spare time projects for the love of doing it. They usually already have jobs. Or college kids. Or any other reason. They aren't doing it to put food on the table (unless for a resume).
Perhaps I am. Maybe I'm too caught up on the success of big projects like Mozilla Firefox, Chromium, and of course the Linux kernel itself. They all took off and became hugely successful projects that people the world over uses. They're classified as the quintessential open source success stories that took over the world.
Posted on Reply
#38
Minus Infinity
Intel's 7nm may be in trouble but their 16 point font is way denser than competing 8 point fonts and shows they still have technical superiority where it counts.
Posted on Reply
#39
silkstone
trparkyPerhaps I am. Maybe I'm too caught up on the success of big projects like Mozilla Firefox, Chromium, and of course the Linux kernel itself. They all took off and became hugely successful projects that people the world over uses. They're classified as the quintessential open source success stories that took over the world.
Open-wrt is another hugely successful one, with very little investment, AFAIK. Still some pretty big name brands come with open-wrt as an option.
Posted on Reply
#40
trparky
silkstoneStill some pretty big name brands come with open-wrt as an option.
And I hope that those brands contribute money towards OpenWRT's development. However, I wouldn't bet on it. The cynical bastard in me says otherwise.
Posted on Reply
#41
bug
trparkyAnd I hope that those brands contribute money towards OpenWRT's development. However, I wouldn't bet on it. The cynical bastard in me says otherwise.
It's ridiculous how few contributions companies that benefit from open source make, that much is clear. It's also idiotic, throwing a few $$$ towards people that give you goodies for free only ensures you get better goodies in the future. But people are that short-sighted, nothing you can do about it.
Posted on Reply
#42
trparky
bugBut people are that short-sighted, nothing you can do about it.
And there's the crux of my issue that I was driving at earlier. Right there, summed up in one phrase.
Posted on Reply
#43
bug
trparkyAnd there's the crux of my issue that I was driving at earlier. Right there, summed up in one phrase.
Yes, but that's a problem with people, not with open source. Open source is just one of the many things affected by shortsightedness.
Posted on Reply
#44
Caring1
Look, if your boothole is vulnerable, stick a plug in it so no nasties can't get in alright. :eek:
Posted on Reply
#45
lexluthermiester
Soooo...

Back on topic, I've actually tried this vulnerability(I run several devices that have GRUB2 installed). It's a kick to the jimmies at best to make it work right and there is no way in heaven or hell someone is remoting in to do it, at least based on the scenario's described by the data sheet and what I tried. Granted, I'm not the most freaky-neeky crackster in the world, but it's just not feasible to take advantage of the "hole-in-the-boot" unless the system in question is an extremely high value target and there are no easier avenues of exploit(which is unlikely).
Posted on Reply
Add your own comment
Feb 7th, 2025 02:41 EST change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

Controversial News Posts