A security vendor has discovered a way to execute arbitrary code during the computer boot-up process through a relatively simple to exploit bug and devise attacks that can get through the Unified Extensible Firmware Interface (UEFI) Secure Boot feature to provide full system access for malware.
Enterprise security vendor Eclypsium found that the grub.cfg text file for the Grand Unified Bootloader 2 (GRUB2), which is used by Linux distributions since 2009, can be altered to trigger a buffer overflow.
By increasing the size of a token in grub.cfg, it is possible for attackers to take advantage of a mismatched design assumption that causes the GRUB2 parser not to halt execution as expected, but simply prints out an error message and returns to the calling function.
"As a result, an attacker could modify the contents of the GRUB2 configuration file to ensure that attack code is run before the operating system is loaded. In this way, attackers gain persistence on the device," Eclypsium wrote in its analysis.
Data can be written anywhere in memory with the bug, Eclypsium found.
Furthermore, as the UEFI execution environment doesn't take advantage of address space randomisation layout or data execution prevention (ASLR/DEP) security features, creating exploits for the vulnerability is easy, without resorting to building return-oriented programming chains, the security vendor said.
Apart from Linux systems, computers that run Windows 8 and 10 and which use the standard Microsoft Third Party UEFI Certificate Authority can be attacked with Boothole, Eclypsium said.
Attackers need administrator privileges to modify the grub.cfg file, but Eclypsium noted that this can be done without tampering with the integrity of signed vendor shims that contain certificates and code for verifying the GRUB2 bootloader as it's loaded.
Ransomware and malware have been known to replace legit UEFI bootloaders with malicious variants, security vendor ESET found in June this year.
Eclypsium has notified Microsoft, Linux distributors Red Hat, SuSE, Canonical/Ubuntu, Debian as well as Citrix, VMware, computer original equipment manufacturers (OEMs) and software developers about the bug, which is rated as high impact with an 8.2 out of 10 CVSS score.
However, Eclypsium notes that fixing the Boothole bug could be slow as UEFI-related updates have a history of bricking devices.
Enterprise disaster and recovery tools could also run into problems if the dbx revocation list is updated before Linux bootloaders and shims.
This could stop recovery media from being able to boot up systems.
As a result, vendors have to be very careful when deploying fixes for Boothole.
.jpg&h=146&w=240&c=1&s=0)
