Firmware security company Eclypsium disclosed on Wednesday that a critical GRUB2 bootloader vulnerability, which can be exploited to install stealthy malware, has impacted billions of Windows and Linux devices.
Tracked as CVE-2020-10713 and termed BootHole, the flaw has a CVSS score of 8.2, with Eclypsium saying that it impacts all operating systems that use GRUB2 with Secure Boot. As per the company, the vulnerability impacts machines that use Secure Boot even if they’re not using GRUB2.
In its report, Eclypsium explained: “Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority.”
Eclypsium says that a majority of laptop, desktop, workstation and server devices are affected by the flaw, adding that cybercriminals could abuse the vulnerability to install bootkits or malicious bootloaders.
The company’s researchers observed that exploiting the flaw needs administrator privileges on the targeted device, but effective manipulation allows the hacker to gain even higher privileges and attain persistence.
BootHole has been labelled as a buffer overflow fault related to how GRUB2 analyzes its grub.cfg configuration file. A hacker can adjust this file to guarantee that their malicious code is performed in the UEFI execution environment, before the operating system is loaded.
After the company’s detection of the BootHole flaw, the Canonical security team also examined GRUB2 and recognized numerous other security holes, all of which have been categorized as medium severity.
Eclypsium has synchronized the revelation of the fault with Microsoft, Linux distributions, the UEFI Security Response Team, OEMs, CERTs, VMware, Oracle and other affected software sellers.
“Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack. This will likely be a long process and take considerable time for organizations to complete patching,” the company clarified.