Safe launch despite the name is not as safe as we would like. Security company Eclypsium has discovered a security hole in GRUB2: Boothol. Linux users are familiar with GRUB2 as one of the most commonly used boot loaders. For this reason, this security issue makes any computer potentially vulnerable to a possible attack – the keyword is “potentially”.
BootHole allows hackers to insert and execute malicious code during the boot process. Once deployed there, the annoying payload of the bootkit can allow attackers to race code, which is later taken over by the operating system. Fortunately, Linux distro developers have been warned about this problem, and most have already released fixes.
In addition, in order for a hacker to use BootHole, he must edit grub.cfg, the GRUB2 configuration file. Therefore, in order for an attacker to successfully attack Linux, he must already have root access to the target system. Practically speaking, such a hacker has already compromised the system. With this approach, attackers can modify the values of grub.cfg to trigger a buffer overflow, which can then be used to insert a useful amount of malware.
While Eclypsium found the initial problem of GRUB2, Linux developers found other problems with hiding within GRUB2. Joe McManus, Director of Security Engineering at Canonical, said:
Thanks to Eclypsia, we at Canonical, along with the rest of the open source community, have updated GRUB2 to protect ourselves from this vulnerability. During this process, we identified seven other vulnerabilities in GRUB2 that will be fixed in updates released today. The attack itself is not remote abuse and requires the attacker to have root privileges. With this in mind, we do not see the popular vulnerability used in the wild. However, these efforts truly illustrate the spirit of the community that makes open source software so secure. ̵6; ”
Red Hat is also the case. Peter Allor, Red Hat’s director of security products, said:
“Red Hat is aware of a bug (CVE-2020-10713) in GRUB 2. Product security has performed a thorough analysis and understands not only how this bug affects Red Hat products, but most importantly, how it affects the Linux kernel. Our PSIRT works closely with engineering, inter-service teams, the Linux community and our industry partners to provide up-to-date updates for affected Red Hat products, including Red Hat Enterprise Linux. ‘ “
However, Marcus Meissner, head of SUSE’s security team, emphasizes that while the problem is serious and needs to be fixed, it’s not that bad. He noted:
“Given the need for root access to the bootloader, the attack described appears to be of limited relevance to most cloud computing, data center, and personal device scenarios, unless these systems are already vulnerable to another known attack. However, it creates exposure when untrusted users have access to the machine, e.g. bad actors in classified computational scenarios or computers in public spaces operating in unattended mode. ‘ “
The moral side of the story is that although you should fix your Linux system, this security hole is really only a problem in a few limited situations.