Secure Boot Bypass Puts Countless Devices at Risk

Whatever else you can say about cyberattackers, they are an innovative bunch and are always quick to pounce on any potential weakness. Unfortunately, the “BootHole” bug has given them a new opportunity to target billions of devices to load malware, access sensitive information, and much more.

The bug in question is in the GRand Unified Bootloader version 2, referred to as GRUB2. For most computer systems, GRUB2 is the default loader and manages part of the system’s start-up process by either presenting a menu requiring input from the user, or by transferring control to an operating system kernel.

When starting up, your system should only be using trusted and secure software. Secure Boot is a security standard developed by members of the PC industry to ensure just that. Firmware runs checks on the Unified Extensible Firmware Interface (UEFI) drivers, the Extensible Firmware Interface (UFI) systems, and the operating system, checking their signatures. Once the signatures are confirmed, the computer boots and the firmware grants control to the OS.

The BootHole bug is a buffer overflow vulnerability, and it received its name due to its ability to open a hole in the boot process. It can allow attackers to bypass protections even when Secure Boot is performing signature verification correctly.

Researchers noted in their report that “the GRUB2 config file is a text file and typically not signed like other files and executables.” What this means is that it is not checked by Secure Boot. Attackers are therefore able to make changes to the GRUB2 configuration file, inserting attack code. Since the GRUB2 file is loaded before the OS, it allows the new attack code to run first.

The buffer overflow issue occurs when configuration tokens are longer than the internal buffer size. This gives an attacker the opportunity to execute arbitrary code and ultimately bypass Secure Boot. Once an attacker has entered the system, they will have virtually complete control over the targeted device.

In their security advisory published on July 29, Microsoft dubbed the severity of the bug as “Important.” It is likely that BootHole did not receive a rating of “critical” because in order to exploit it, an attacker would need to gain administrative privileges.

According to software company Red Hat, attackers would first “need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access.”

Unfortunately, the GRUB2 bootloader is in use in most Linux systems. The problem doesn’t stop there, however, as it put any Windows device using Secure Boot with Microsoft’s standard Third Party UEFI Certificate Authority at potential risk. Effectively, the majority of computers—whether desktop, laptop, workstations, or servers—are vulnerable. This extends to network devices, IoT devices, and more, leaving billions of devices vulnerable.

Even worse, the issue cannot simply be fixed by a patch or update. According to researchers, dealing with BootHole “is complex and can be risky and will require the specific vulnerable program to be signed and deployed, and vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack. The three-stage mitigation process will likely take years for organizations to complete patching.”

For the supplier, fixing it will mean new bootloaders and installers across every version of Linux. Additionally, new versions of vendors’ “shims” (first-stage boot loaders) will need to be signed by Microsoft's Third-Party UEFI certificate authority. What’s more, any hardware makers that include their own keys in their hardware will have to provide updates to replace their version of GRUB2.

The researchers went on to say that “... until all affected versions are added to the [Secure Boot revocation list, a.k.a. dbx], an attacker would be able to use a vulnerable version of shim and GRUB2 to attack the system. This means that every device that trusts the Microsoft 3rd Party UEFI CA will be vulnerable for that period of time.”

A set of signed dbx updates will be released by Microsoft, which can be applied to systems to block shims that attackers can use to load the vulnerable version of GRUB2. In the meantime, your organization should confirm that they can monitor UEFI bootloaders and firmware, as well as the ability to verify UEFI configurations. Finally, they should test their ability to recover from a factory reset so that they can be confident about recovering in the event of a device being impacted negatively during an update.

 

Every business should assume they have either been attacked, are being attacked, or will be attacked. Fast detection and swift response are the small business owner’s only defense.

You can access my Free Ebook=> “WHAT’S AT STAKE FOR YOUR BUSINESS?” 

So, if you’re ready to put the right security in place. Contact me, I have traveled the globe Identifying security threats in Companies. I can help give your business a peace of mind as you move into the digital revolution. There’s no risk to talk with us about your business and you can stop the process any time.  But if you let us look under the hood, we’ll help you discover any potential problems before they impact your business or take your data. If everything looks good, we’ll tell you. However, if we discover symptoms of a growing threat, we’ll help you check them out to make sure you’re not exposed to catastrophic failure.

 To Learn More About Cyber Security => Safe Harbour.