A serious vulnerability named "BootHole" has been discovered in the GRUB2 bootloader. Millions of systems are at risk of being exposed to hackers -- primarily those running Linux, but Windows is also affected. This was discovered by security researchers at Eclypsium, the BootHole vulnerability has been assigned CVE-2020-10713 ("GRUB2: crafted grub.cfg file can cause to arbitrary code execution during boot process") and a CVSS rating of 8.2.
Virtually not only all Linux distributions are affected but the vulnerability also leaves Windows systems that make use of Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority open to attack too. The BootHole flaw can be exploited to gain arbitrary code execution during the boot process, even when Secure Boot is enabled
According to Eclypsium, the scale of the vulnerability is such that "the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries". BootHole has been know about for quite some time, but the security researchers are still coordinating with operating system developers, software engineers and others to work together to create fixes for disclosure of the vulnerability.
Despite this, Eclypsium still warns that: "Mitigation would require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to stop adversaries from using older, vulnerable versions in an attack. This may likely be a long process and take considerable time for organizations to finish patching".
Writing about the vulnerability, the security firm Eclypsiuman's explains:
In the course of Eclypsiuman's analysis, we have identified a buffer overflow vulnerability in the way that GRUB2 parses content from the GRUB2 config file (grub.cfg). Of note: The GRUB2 config file is a text file and isn't signed like other files and executables. This vulnerability enables arbitrary code execution within GRUB2 and thus control over the booting of the OS. As a result, an attacker could modify the contents of the GRUB2 configuration file to ensure that attack code is run before the OS is loaded. In this way, attackers gain persistence on the device. Such an attack would require an attacker to possess elevated privileges. However, it might provide the attacker with a powerful additional escalation of privilege and persistence on the device, even with Secure Boot enabled and properly performing signature verification on all loaded executables. One of the explicit design goals of Secure Boot is to prevent unauthorized code, even running with administrator privileges, from gaining additional privileges and pre-OS persistence by disabling Secure Boot or otherwise modifying the boot chain. With the only exception of 1 bootable tool vendor who added custom code to perform a signature verification of the grub.cfg config file in addition to the signature verification performed on the GRUB2 executable, all versions of GRUB2 that load commands from an external grub.cfg configuration file are vulnerable. As such, this may require the release of new installers and bootloaders for all versions of Linux. Vendors may need to release new versions of their bootloader shims to be signed by the Microsoft 3rd Party UEFI CA. It's important to note that until all affected versions are added to the dbx revocation list, an attacker would be able to use a vulnerable version of shim and GRUB2 to attack the system. This means that every device that trusts the Microsoft 3rd Party UEFI CA are going to be vulnerable for that period of time. In addition to vendors using shims signed by the Microsoft 3rd Party UEFI CA, some OEMs that control both the hardware and the software stack in their devices use their own key that's provisioned into the hardware at the factory to sign GRUB2 directly. They will need to provide updates and revocation of previous vulnerable versions of GRUB2 for these systems as well.
Till an update is provided to fix this vulnerability, Advisory notices have been published by Microsoft, the UEFI Forum, Debian, Canonical, RedHat, SUSE, HP, HPE, VMware and the Upstream Grub2 project.