www.belgium.be Logo of the federal government

Vulnerability Alert - Boothole

Alert

Intent

The objective of this alert is to raise awareness about the vulnerability called “BootHole”. It is a global vulnerability affecting by its nature a wide range of products.
The intent of this alert is to make system administrators aware about the vulnerability and to act accordingly.

Summary

The vulnerability dubbed “BootHole” and tracked as CVE-2020-10713 affects systems running on Windows and Linux. The affected piece of software, GRUB2, is used in the most important security aspect of any device: the boot process. The “BootHole” vulnerability can be considered as a “Bootkit”.

A bootkit is a malicious program designed to load as early as possible in the boot process, in order to control all stages of the operating system start up, modifying system code and drivers before anti-virus and other security components are loaded.

Technical details

Even with secure boot enable, a threat actor could use this vulnerability to gain the ability to execute arbitrary code during the boot process. The vulnerability in itself is a buffer overflow that occurs when parsing the grub.cfg file. It happens in such a way that it bypasses signature verification as well.

Risks

Once an attacker has local or privileged access to a vulnerable device, he can load an alternative kernel (untrusted and modified) to the system, craft a malicious payload and cause a buffer overflow attack.

The highest risk is that by modifying the boot process an attacker can gain some really nasty persistence on a machine that’s really hard to detect. There is no easy way to detect this and recovery often involve completely rebuild the machine.

As for preventive solutions, there are workarounds released per brand, we will post a link to their respective advisories in the section below.