On July 29, 2020, Eclypsium researchers discovered a vulnerability in the GRUB2 boot program, aptly named, "BootHole" (CVE-2020-10713), which executes arbitrary code during the boot process. Attackers use this vulnerability to install a persistent and secret bootkit or malicious bootloader to control infiltrated device. At present, Linux distribution systems are primarily affected, including systems using Secure Boot.
2. Vulnerability Analysis
2.1 Introduction to GRUB2
GRUB2, or GRand Unified Bootloader 2, is a unified boot loader and an operating system launcher from the GNU project. It is used to load an operating system kernel and then transfer control to that kernel. You can also select the operating system you want to run when your computer starts, solving issues using multiple operating systems installed on the same computer.
2.2 Vulnerability Description
The GRUB2 boot program or "BootHole" (CVE-2020-10713), discovered by Eclypsium researchers, executes arbitrary code during the boot process, using a vulnerability to install a persistent and secret bootkit or malicious bootloader to control infiltrated devices. Linux distribution systems are primarily affected thus far, including systems using Secure Boot.
2.2.1 Vulnerability Details
The GRUB2 configuration file is a text file, and a buffer overflow may occur in GRUB2 when parsing an abnormal grub.cfg file. This configuration file is an external file usually located in the EFI system partition, and can be modified by an attacker with administrator privileges. Attackers can obtain arbitrary code execution permissions in the UEFI execution environment and the code can be used to run malware, change the startup process, directly tamper with OS kernel data or perform many other malicious operations.
In order to process commands from external configuration files, GRUB2 uses flex and bison to generate domain-specific language analysis engines from language description files and auxiliary program functions. The syntax engine generated by Flex includes code for processing tokens as follows:
If the token processed takes too long, it will produce a YY_FATAL_ERROR, and the function is implemented as follows:
There is no code to stop execution or to force an exit from the program, only output of the errors to the console and then return to the called function, which then calls yy_flex_strncpy() and copies the source string from the configuration file, creating a very small buffer.
In addition to the path shown above, flex generates many other places in the code that will not return correctly or perform unsafe operations once the YY_FATAL_ERROR() performs unexpected operations. Ultimately, a buffer overflow occurs in the key structure of the heap, because the token length written by the profile is too large to be handled properly by the parser. These covered fields include structural elements within the parser, which can cause arbitrary code execution.
3. Scope of Impact
Affected Versions: GRUB 1.99, 2.00, 2.02, 2.04.
4. Solution
4.1 Test Plan
Enter the following command in the Linux terminal window to view the grub2 version: grub-install--version.
4.2 Mitigation
No permanent fix exists at this time.
4.3 Temporary fix
1) DO NOT reboot system.
2) DO NOT update grub2 until new distribution packages are released.
5. References
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
https://access.redhat.com/security/cve/CVE-2020-10713
https://access.redhat.com/security/vulnerabilities/grub2bootloader
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011
https://status.cloud.google.com/incident/compute/20009#20009005