New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader

[btarunr]

Even if you don't have more than one operating system installed, your PC has a boot-loader, a software component first executed by the system BIOS, which decides which operating system to boot with. This also lets users toggle between different run-levels or configurations of the same OS. The GRUB2 boot-loader is deployed across billions of computers, servers, and pretty much any device that uses a Unix-like operating system. Cybersecurity researchers with Oregon-based firm Eclypsium, discovered a critical vulnerability with GRUB2 that can compromise a device's operating system. They named the vulnerability BootHole. This is the same firm behind last year's discovery of the Screwed Drivers vulnerability. It affects any device that uses the GRUB2 boot-loader, including when combined with Secure Boot technology.

BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.



View at TechPowerUp Main Site

 

[Crackong]

Finally not an intel specific bug.

 

[mborghi]

Are windows users safe from this one?

 

[trparky]

Are windows users safe from this one?

Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

 

[xman2007]

I think I need my coffee though it's only 6.20am here, I had to double take as I thought it said bootyhole vulnerability

 

[TheLostSwede]

Are windows users safe from this one?

Apparently not. Technically no OS is safe from this.

 

[Corvid]

Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

None of these problems are problems with open source. They are problems with a lack of qualified/interested programmers, capitalism, and the profit motive.

There's plenty of open source projects out there with tons of funding and dedicated developers, but companies tend to forget about "little" projects that run their entire goddamn infrastructure like OpenSSL and GRUB

 

[lexluthermiester]

After having read into it more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.

 

[trparky]

They are problems with a lack of qualified/interested programmers, capitalism, and the profit motive.

If it's the choice between providing for yourself and your family, most good programmers will take a job at places like Microsoft, Google, Apple, IBM, or any other Fortune 500 company and rightfully so. Nobody likes starving.

There's plenty of open source projects out there with tons of funding and dedicated developers

Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.

 

[silkstone]

Yes. However, the theory behind open source's million eyes idea is a load of bunk. I've said it before and I'll say it again, for open source to really work you need people willing to actually look at the code. The funny thing is you generally need to pay people to do that sort of work. Something about needing that silly thing called food and you generally need money to get that food.

Look at OpenSSL, millions of people use it across the globe yet for the longest time there was only one man tasked with maintaining the code and not only that but a man in his sixties no less. It was only until high profile vulnerability came along that significant funding found its way to the group that was tasked with maintaining OpenSSL to hire additional developers. They have no idea when or if additional funding will find its way to the OpenSSL group again.

Open source is nice and all, until you have to pay the bills and then... oh yeah, we didn't think that far ahead.

People monetize open source all the time. Sure, you might be right about small, obscure open source programs, but when big companies use open source, they do scrutinize the code and they do get paid to do so.

 

[sumolDeLaranja]

Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.

You think said projects get funding out of kindness in big-name companies' hearts, or because not having to reinvent the wheel lets them save money and pay for programmers to do real innovation?

Spoiler

Please no jokes about our best and brightest spending their time creating adtech algorithms to sell you a fidget spinner...

It seems like megacorps see a place for open source, and clearly they do want to employ bright people and have them create new products and services, and not have them rewrite rather essential stuff like cryptography stacks and bootloaders over and over again...

 

[R-T-B]

Yes. However, the theory behind open source's million eyes idea is a load of bunk.

It's not. his vulnerability however, is. If you control the bootloader you can just pass some kernel parameters to attain root, how is this a vulnerability? This is more like a concept in computing, lol.

Apparently not. Technically no OS is safe from this.

They are. Windows doesn't use GRUB, it uses NTLDR. Not that you can't uh, do the same kind of crap there. Bootloaders are not meant to be secure really. It's like having physical access to the machine at that point.

After having read into this more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.

I mean if you have root, you can always rewrite the bootloader. But again, this is like crying about how I got compromised because I was already compromised. It's BS.

 

[bug]

After having read into this more closely, this is yet another vulnerability that requires physical access to implement and has a level of difficulty that can not be discounted. This is not something the average user needs worry about.

Yes, you need to craft a grub.cfg file. You can only do that if you gain root privileges first. If an attacker gains root access on your machine, grub/secure boot is the least of your worries.

Good thing it was discovered though, many attacks these days are built around chaining together several innocuous and/or hard to exploit flaws like this.

 

[Anymal]

Are windows users safe from this one?

Yes, but not from ButtHole, Microsoft specific bug since WinME

 

[bug]

Oh yes but outside of the big projects like Ubuntu, WordPress, Apache, MySQL/MariaDB, PHP, LibreOffice, and of course... (the most popular of them all) the Linux kernel itself, most open source projects die within a year of starting due to lack of funding. Just look at the graveyard that is GitHub, a good 98% of projects have died. And for those projects that have made it, they often get funding from big-name companies.

About 80% of all software projects are failures, open source has nothing to do with that.

 

[TheLostSwede]

They are. Windows doesn't use GRUB, it uses NTLDR. Not that you can't uh, do the same kind of crap there. Bootloaders are not meant to be secure really. It's like having physical access to the machine at that point.

The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.

There's a Hole in the Boot - Eclypsium | Supply Chain Security for the Modern Enterprise

The BootHole vulnerability in the GRUB2 bootloader opens up Windows and Linux devices using Secure Boot to attack. The majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment

eclypsium.com

So YES, Windows is affected too. Maybe not as badly, but still.

 

[bug]

There's a Hole in the Boot - Eclypsium | Supply Chain Security for the Modern Enterprise

The BootHole vulnerability in the GRUB2 bootloader opens up Windows and Linux devices using Secure Boot to attack. The majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment

eclypsium.com

So YES, Windows is affected too. Maybe not as badly, but still.

It's unclear to me how this will affect a pure Windows install, since those don't include grub. Also unclear why the certificate authority is mentioned.
But I can see how this will affect dual-boot installs: once you botch the UEFI, it stays botched.

 

[trparky]

Sure, you might be right about small, obscure open source programs

What about OpenSSL? That thing is something that the whole entire Internet is practically built on, it's the one piece of software that literally makes secure eCommerce possible. Yet, it never got the attention that it deserved until all of a sudden, some nasty big security hole was found (Heartbleed) and THEN it got the funding it needed. Where was the funding before? Oh sure, they got some scraps thrown their way every once in a great while; but in the end it was just scraps. Oh here, we had some money in our end-of-the-year budgets, let's throw it their way.

And OpenSSL wasn't the only big-name project that damn near failed. Ever heard of OpenBSD? Yeah, back in January of 2014 they didn't even know if they were going to be able to keep the lights on and pay the electricity bill. It was only after a $100,000 bailout by none other than Microsoft that saved OpenBSD from oblivion. And I'm pretty damn sure that Microsoft didn't give the money over out of the goodness of their hearts. If you believe that, I've got some bottom land to sell you; just don't ask me what it's at the bottom of.

Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.

Just look at the forum software that powers this very forum, XenForo. It's written in PHP however it's $160 a year for the base package. If you add some addons, it's $345 a year. And it's not open source. Sure, there's phpBB and Simple Machines Forum but yeah right.

 

[bug]

Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.

Gtk/Gnome, Qt/KDE, GIMP, Darktable, Blender, Apache Kafka (et comp), Elasticsearch, Mozilla, Chromium, OpenWRT, pfSense, PuTTY, Keepass, ffmpeg, VLC, git, gcc...
But you're right, aside from a few hundred projects, open source is totally a joke.

 

[trparky]

Mozilla is funded by huge donations from Google. Chromium is obviously by Google. But that’s why I said, outside of the big-name projects open source is generally a joke. Most projects on GitHub die within a year due to lack of funding.

 

[R-T-B]

There's a Hole in the Boot - Eclypsium | Supply Chain Security for the Modern Enterprise

The BootHole vulnerability in the GRUB2 bootloader opens up Windows and Linux devices using Secure Boot to attack. The majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment

eclypsium.com

So YES, Windows is affected too. Maybe not as badly, but still.

Ah. The grub2 commentary confused me.

What about OpenSSL? That thing is something that the whole entire Internet is practically built on, it's the one piece of software that literally makes secure eCommerce possible. Yet, it never got the attention that it deserved until all of a sudden, some nasty big security hole was found (Heartbleed) and THEN it got the funding it needed.

It had funding the whole time, it just had a big bug in a complex software. This happens, money or not.

Most projects on GitHub die within a year due to lack of funding.

A lack of a maintainer does not make them useless.

 

[trparky]

It had funding the whole time, it just had a big bug in a complex software. This happens, money or not.

Not according to the one man who was maintaining it. There was only one man who was babysitting the code of OpenSSL and he was in his sixties. He wanted to retire for God's sake yet with not enough funding being brought in, he couldn't hand the project off.

Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.

 

[R-T-B]

Not according to the one man who was maintaining it. There was only one man who was babysitting the code of OpenSSL and he was in his sixties. He wanted to retire for God's sake yet with not enough funding being brought in, he couldn't hand the project off.

Something that involves a library of code as huge as OpenSSL is needs more than one person to scan the lines of code, I'd go so far as to say that it needs a team of people doing code audits at least twice a year if not more than that. OpenSSL is like the water and sewer pipes of the Internet, if that breaks all hell breaks loose.

So you have one example, that isn't an open source specific problem, but a funding one?

 

[trparky]

So you have one example, that isn't an open source specific problem, but a funding one?

OK, but I also mentioned OpenBSD that was saved only by Microsoft coming along with $100,000 in their pockets.

The problem that most open source projects have is that they have lot of "takers" but not a lot of "givers". If you like an open source program/project, you need to do what is right and by that, I mean donate to the project be it direct donations or if they have a merch store, buy something there. Buy a coffee cup or a t-shirt for God's sake! Every little bit helps.

Like it or not, open source projects live and die on their budgets (or should I say, lack of budgets). The unfortunate thing is that a majority of people are freakin' cheapskates. They don't donate, they don't pay, yet they're the first to start yelling when things go wrong.

 

[moproblems99]

Outside of the big-name projects like I mentioned before (Ubuntu, WordPress, etc.), open source is a joke. Writing good software is hard! It takes time, people, and money.

WordPress is still a joke.