NSA and CISA push guidance for BootHole fix
Federal agencies are moving to put out custom guidance for dealing with a widespread bootloader bug that can be complicated to patch due to software and firmware interdependencies.
Following the disclosure this week of a widespread bootloader vulnerability in many Linux and Windows-based systems, two federal agencies issued follow up cybersecurity advisories highlighting the bug and offered steps for mitigation.
In an advisory released a day after researchers issued their report, the National Security Agency said the bug – dubbed BootHole -- "poses a risk to a majority of Linux distributions and systems running on Windows 8 or later versions." That includes "those on National Security Systems, Department of Defense (DoD) systems, as well as the Defense Industrial Base (DIB)."
"Impact may include but is not limited to public/private cloud instances, data center servers, end-user desktops/laptops, and Linux-based Operational Technology/Internet of Things devices," the agency said in a press release.
The Cybersecurity and Infrastructure Security Agency issued their own alert about the vulnerability and directed users to vulnerability notes from Carnegie Mellon University's CERT Coordination Center.
The researchers who discovered the bug told FCW that the impact would likely be vast, encompassing possibly billions of devices. They also predicted that patching would be slow, difficult and full of breakdowns due to the complexity of systems involved, something that has already been borne out as initial fixes rolled out by some companies have received user reports detailing unexpected breakdowns.
"If you're an IT administrator in an enterprise and you have tens of thousands of systems, maybe you have 10 different models of servers and 10 different models of laptops deployed throughout your fleet," said Jesse Michael, one of Eclypsium's principal researchers who discovered the bug. "You want to test [the patch] on each of these individual types of devices, specific models with specific firmware versions, before you actually deploy it out to the fleet, because if you deploy something out to your data center with thousands of servers and there's a firmware bug that causes those not to come up again, you're going to have a bad day."
The NSA advisory offers organizations two options for mitigation as well as detection guidance for vulnerable or abnormally configured versions of the bootloader. For the "typical" consumer, business and enterprise environments, they agency offers advice similar to the researchers: patch the endpoint and revoke trust for vulnerable versions of the bootloader or shim applications. However, they must do so carefully.
"Fully mitigating the BootHole vulnerability requires multiple steps that must be performed in a specific order to update and revoke the trust for existing signed boot components," the agency wrote. "Failure to ensure each step is completed before proceeding to the next step may result in an endpoint no longer being able to boot while Secure Boot is enabled."
There is also an "advanced" mitigation option recommended for business and enterprise endpoints with higher security and integrity requirements that involves customizing Secure Boot to allow Microsoft and other vendors to minimize or remove certificates. The notice references a forthcoming technical report that will provide more details on this method. An NSA spokesperson told FCW that the document is still being worked on and there is no immediate timetable for its public release.