Researchers disclose widespread bootloader vulnerability

Researchers say they have found a new buffer flow vulnerability during the booting process that could affect potentially billions of Linux and Windows-based devices.

The flaw impacts devices and operating systems that use signed versions of the open-source GRUB2 bootloader software used in most Linux systems. It also affects any system or device using Secure Boot – a root firmware interface responsible for validating the booting process -- with Microsoft's standard third party certificate authority.

Together, researchers at Eclypsium say the flaw leaves "the majority of laptops, desktops, servers and workstations" as well as network appliances and a large number of Linux-based Operational Technology and Internet of Things systems vulnerable to arbitrary code execution during the booting process. A successful exploitation would give an attacker "virtually unlimited control" over a victim's device, according to the report.

"If this process is compromised, attackers can control how the operating system is loaded and subvert all higher-layer security controls," the researchers write.

There are notable limitations. In order to exploit the bug, an attacker would need to have elevated administrative privileges. That kind of access means that hackers would already be capable of doing substantial damage. But, Eclypsium researchers told FCW that bypassing the boot process could provide attackers with persistent, stealthy root-level access without having to rely on temporary credentials or access privileges. They believe the flaw is versatile enough that it provides lower-level hacking groups with the ability to stage and carry out large-scale attacks like ransomware, while also allowing more sophisticated threat groups to mask their activity on victim networks and muddy the waters around attribution.

The vulnerability itself is relatively simple, but it's so widely dispersed among systems and devices that it will require a complex, multi-step mitigation process among different stakeholders that could take years. The flaw affects open source software that is used in potentially billions of Linux and Windows devices across government, private industry and critical infrastructure. Eclypsium said it had to pull in at least 20 different organizations and 70 individuals to work on mitigation when it kicked off the initial coordinated vulnerability disclosure process in April.

"I'd say that if you care about Secure Boot in your threat model, you should care about this issue," said Mickey Shkatov, a principal researcher at Eclypsium.

While the disclosure comes with an update to GRUB2, it won't be a simple patch job, and switching in the newer version will almost certainly come with a number of collateral interoperability problems. Linux distributors and other vendors will need to update their installers, bootloaders and other applications. New makeshift 'shim' applications will need to be signed by Microsoft's third-party certificate authority, and IT administrators will need to update operating systems in the field as well as installer images.

The most difficult part is expected to be when organizations attempt to revoke vulnerable versions of the bootloader. When Microsoft attempted to patch a similar problem earlier this year, they had to remove the update from their servers after multiple vendors reported unexpected errors, including bricked devices. Eclypsium researchers said that is also likely to happen in this instance unless administrators individually test and update the firmware of each affected system.

"Automating the push of this revocation is very risky and is not going to be done for this release," said John Loucaides, the firm's vice president for research and development. "Later on that may happen, but that's going to be after a thorough testing of all these specific systems."

While working out the kinks in the revocation process will take substantial testing, in the meantime the report recommends that IT managers begin monitoring their bootloaders and firmware for vulnerable or abnormally configured versions of GRUB2. Because the security of the boot process is often taken for granted, shoring up surveillance in that area can help many organizations narrow the list of devices that need immediate attention.

"You can see how this is going to be sort of a big ask. Some organizations might do it, a lot of organizations may give up," said Loucaides. "That monitoring should buy you time for this revocation to become more reasonable to deploy to at least more of your systems" at once.