BootHole bug in Grub2 makes all devices with Secure Boot vulnerable

Several manufacturers have come up with fixes for a vulnerability in Grub2 that affects almost all devices with Secure Boot. This vulnerability makes it possible to execute code during the boot process, even when Secure Boot is on.

The leak is called BootHole and was discovered by security company Eclypsium. The vulnerability is specific to Grub2, the Grand Unified Bootloader used by most Linux systems. Windows systems are also vulnerable if they use Secure Boot where Microsoft itself acts as certificate authority, which is the case with practically all Windows systems. The vulnerability, according to the researchers, could be executed on all devices with Secure Boot, even if Grub2 was not enabled. The bug has been given code CVE-2020-10713.

The vulnerability is quite serious, with a CVSS score of 8.2. However, it is difficult to exploit in practice. An attacker would have to modify the grub.cfg configuration file and would need at least root access to a system to do so. By resizing a token in grub.cfg, an attacker could cause a buffer overflow. If malware is subsequently loaded, the parser does not automatically stop executing as intended, but rather loads that malware during the boot process.

After the researchers passed their findings to different manufacturers, they themselves found other vulnerabilities in Grub2. Ubuntu developer Canonical is talking about seven vulnerabilities. It concerns different buffer overflows and a use-after-free vulnerability.

Dozens of Linux system manufacturers have released patches. Most have released new Grub2 packages for that. Some developers such as RedHat say that the practical impact of the vulnerability is not too bad.