Hash: SHA256

                         AUSCERT Security Bulletin

"BootHole" vulnerability, and several others, published in GRUB2 bootloader
                               30 July 2020


        AusCERT Security Bulletin Summary

Product:          GRUB2
Operating System: Linux variants
Impact/Access:    Root Compromise                 -- Existing Account
                  Execute Arbitrary Code/Commands -- Existing Account
                  Increased Privileges            -- Existing Account
                  Modify Arbitrary Files          -- Existing Account
                  Denial of Service               -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2020-15707 CVE-2020-15706 CVE-2020-15705
                  CVE-2020-14311 CVE-2020-14310 CVE-2020-14309
                  CVE-2020-14308 CVE-2020-10713 CVE-2020-7205


        The GRUB2 bootloader is affected by a major vulnerability
        known as "BootHole", CVE-2020-10713, and several other less
        notable vulnerabilities. It requires an attacker to already have
        root access to a host to edit the GRUB2 'grub.cfg' configuration file.
        If exploited, this allows bypass of the UEFI Secure Boot system,
        which defends against malicious bootloaders,
        including certain kinds of rootkits:
        "One of the explicit design goals of Secure Boot is to
        prevent unauthorized code, even running with administrator privileges,
        from gaining additional privileges and pre-OS persistence by
        disabling Secure Boot or otherwise modifying the boot chain." [1]
        Fully fixing this problem will take time, as the patching process is complex.
        However, mitigations are rolling out from vendors from today. [1]


        An attacker can boot their own code (unsigned by the usual process)
        which still passes signature verification during UEFI Secure Boot.
        Eclypsium states:
        "The Boot Hole vulnerability discovered by Eclypsium can be used to
        install persistent and stealthy bootkits or malicious bootloaders that
        operate even when Secure Boot is enabled and functioning correctly.
        This can ensure attacker code runs before the operating system and can
        allow the attacker to control how the operating system is loaded, directly
        patch the operating system, or even direct the bootloader to alternate
        OS images. It gives the attacker virtually unlimited control over the
        victim device. Malicious bootloaders have recently been observed in the
        wild, and this vulnerability would make devices susceptible to these types
        of threats." [1]
        A malicious boot loader allows a kind of "super-admin"; it can
        be used to subvert the kernel of the operating system/s hosted on the
        attacker-controlled hardware, and hide things from the administrator/s
        of those operating system/s. [2]
        Eclypsium also state that this is a very widespread issue:
        "In addition to Linux systems, any system that uses Secure Boot
        with the standard Microsoft UEFI CA is vulnerable to this issue.
        As a result, we believe that the majority of modern systems in use
        today, including servers and workstations, laptops and desktops,
        and a large number of Linux-based OT and IoT systems, are potentially
        affected by these vulnerabilities." [1]
        Microsoft are publishing their own mitigations, despite GRUB2 not
        running on Windows, as the exploit could be used to boot a modified
        (compromised) version of Windows while passing Secure Boot. [3]
        AusCERT's evaluation is that this should be taken seriously
        and patched as patches become available. However, to determine urgency,
        each organisation must assess the use of GRUB2 in their environment,
        as in general exploitation requires administrator access to the
        operating system affected.
        The following CVEs were found in addition to CVE-2020-10713, "BootHole",
        as part of efforts to make the most of this high-effort patching cycle:
        [1] [3]


        Watch for updates being released for your operating system from today.
        Eclypsium summarises the full patching process thus:
        "Full mitigation of this issue will require coordinated efforts from a variety of
        entities: affected open-source projects, Microsoft, and the owners of affected
        systems, among others. This will include:
            * Updates to GRUB2 to address the vulnerability.
            * Linux distributions and other vendors using GRUB2 will need to update their
            installers, bootloaders, and shims.
            * New shims will need to be signed by the Microsoft 3rd Party UEFI CA.
            * Administrators of affected devices will need to update installed versions of
            operating systems in the field as well as installer images, including disaster
            recovery media.
            * Eventually the UEFI revocation list (dbx) needs to be updated in the
            firmware of each affected system to prevent running this vulnerable code during
            boot." [1]


        [1] Eclypsium: There's A Hole In The Boot

        [2] We Live Security: UEFI malware: How to exploit a false sense of

        [3] ADV200011 | Microsoft Guidance for Addressing Security Feature
            Bypass in GRUB

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967