Researchers at Eclypsium discovered a vulnerability in an open source bootloader called GRUB, widely used by most Linux distributions and Solaris. The vulnerability, named BootHole, allows code execution within GRUB and subsequent full compromise of the bootloader.
Bootloaders are small but important programs used to initialize your operating system. However, with such an important task, keeping bootloaders safe from compromise is even more important. Compromising the bootloader can provide an invisible method of malware persistence or can be even used to steal encryption keys via fake login screen from an unsuspecting victim.
LIFARS‘ Managed Detection and Response Incident Digital Forensics Analysis enhances your existing SOC’s effectiveness with expert incident response, forensics, remediation, proactive threat hunting and more.
To protect bootloaders a protocol known as secure boot was introduced. Secure boot uses your computer’s firmware to check the integrity of the bootloader, with only bootloaders signed by the Microsoft 3rd Party UEFI CA allowed to run. Microsoft acts as a certificate authority for secure boot, with even Linux bootloaders signed by Microsoft. The issue with this approach is, that a vulnerability in an already signed bootloader can completely break this process and trust in the boot process.
However, the scope of BootHole is much larger than just Linux and Solaris. Because of the already mentioned limitations in secure boot, this vulnerability can be used to exploit any system relying on UEFI secure boot, including Windows. Attackers can gain persistence by installing the vulnerable version of GRUB and use it to launch their malicious code. Because it is a legitimate bootloader signed by Microsoft, it will pass the security verification provided by secure boot.
Thankfully, there are mitigations available. In order to fully fix the issue, you need to apply the latest UEFI revocation list by following the Microsoft guidance and, if running GRUB, install the latest updates available. The updated revocation list also should be a part of the next Windows security updates released by Microsoft in early August.