BootHole GRUB2 Bootloader Security Exploit Discovered, Affects Billions Of Windows And Linux Devices

Boothole grub2
Bootloaders are an essential bit of software for almost every modern electronic device. Unfortunately, any vulnerabilities in the bootloader can open a device up to attackers. Eclypsium researchers recently discovered a buffer overflow vulnerability in the GRUB2 bootloader, nicknamed “BootHole”. This affects any device that uses GRUB2 with Secure Boot, including most Linux and some Windows devices.

How Does BootHole Work

The “GRand Unified Bootloader version 2”, or GRUB2, is a bootloader that is common on many Linux devices. It uses bison, a parsers generator, and flex, a lexical analyser, to “generate a parsing engine for a domain-specific language (DSL).” However, Eclypsium points out that flex and bison have “mismatched design assumptions'' which can lead to issues. In the case of BootHole, these “mismatched design assumptions” can create a buffer overflow vulnerability.

A buffer overflow occurs when more data is pushed into a buffer than it can handle. This data still needs a place to go and it therefore often overflows into nearby memory spaces. This “overflow” can corrupt or overwrite the data that was originally in the memory space. Attackers can then abuse this situation to run arbitrary code and cause major problems with a device.

eclypsium buffer overflow example
Secure Boot processes are typically walled off from administrative level users. However, in this scenario, the bootloader parses a configuration file located in the EFI system partition. As a result, any user with administrator access can modify grub.cfg. Furthermore, the configuration file is typically implemented as an unsigned text file. Any changes to the configuration file therefore go unchecked.

In the example provided by the researchers, Eclypsium found they could use the modified configuration file to pass a token too large for flex’s parse buffer. It called the function “YY_FATAL_ERROR()”. This threw an error code, but did not halt the execution. Flex never checks for YY_FATAL_ERROR() to return, so it continued to call and copy a token that was too large for the buffer. According to the researchers, this issue “overwrites critical structures in the heap.”

Potential Consequences and Resolution

This vulnerability can lead to major consequences. Attackers who have gained administrative privileges can execute arbitrary code and therefore take over the entire bootloader process. The attacker could run malware, replace the bootloader process with a malicious one, and gain total control over vulnerable devices.

Eclypsium indicates that the attackers must already have administrative privileges. This is important to note, because you would likely already have problems if an attacker managed to get this far. However, this vulnerability is certainly cause for concern. It would further increase the attacker’s privileges and offer the ability to regain control of a system with modified bootloader in place. In turn, the attack could persist at a lower level on the system than is typically detectable while covering up evidence of its infiltration in userspace.

eclypsium bootloader malware corrected

One of the most worrying aspects of this vulnerability is what needs to be done to mitigate it. Mitigation will require the cooperation of a variety of companies, open-source projects, and individuals. There will first need to be immediate updates to GRUB2. New bootloaders will eventually need to be deployed and the older versions will need to be revoked. Eclypsium warns that this will likely be a long, drawn-out process. Care is needed as these kinds of updates can sometimes render a device inoperable. The issue will eventually be addressed, but users should be patient.

Eclypsium researchers also recently uncovered unsigned or unverified peripheral firmware in devices by major tech companies. Unsigned firmware not only endangers individual devices, but can threaten an entire network. The researchers were able to infect a host server and replace the system’s NIC firmware, which ultimately allowed them to monitor, modify, and redirect traffic.

Updated 7/29/2020 at 3:00pm

Below is a statement from SUSE regarding the BootHole vulnerability:

"We’re aware of the Linux vulnerability called BootHole shared by Eclypsium today, and our customers and partners can rest assured we have released fixed grub2 packages which close the BootHole vulnerability for all SUSE Linux products today, and are releasing corresponding updates to Linux kernel packages, cloud image and installation media.

Given the need for physical access to the bootloader, the most likely exposure is when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode. To ensure that sophisticated attackers cannot reinstall old versions of grub2, software and hardware vendors are working together. SUSE Linux Enterprise provides unprecedented reliability, stability and security to the enterprise, and we are committed to keeping our customers’ and partners’ systems up to date and ready to handle everyday business challenges.