Linux-wide boot process vulnerability revealed

Security company Eclypsium has revealed the details of a vulnerability potentially affecting virtually every Linux installation and a number of Windows devices that could allow attackers to hijack the boot process.

The BootHole vulnerability, discovered by Eclypsium earlier this year, represents a significant weakness in the Secure Boot bootloader utilised by most Linux systems.

The vulnerability also affects any Windows device that uses Secure Boot in conjunction with the standard Microsoft Third Party UEFI Certificate Authority.

Eclypsium said this means the majority of laptops, desktops, servers and workstations and a number of specialised equipment used in the industrial, healthcare, financial and other industries are at risk.

The BootHole vulnerability in GRUB2 (Grand Unified Bootloader version 2) affects all systems using Secure Boot even if they are not using GRUB2.

Eclypsium said the vulnerability is particularly disturbing as it represents a threat to the boot process, one of the most fundamentally important aspects of security for any device. It potentially allows attackers to compromise this process to control how the operating system is loaded and subvert all higher-layer security controls.

The vulnerability stems from a buffer overflow issue in the way GRUB2 parses content from the GRUB2 config file, the company said.

Because the GRUB2 config file is typically stored in unsigned plain text, the vulnerability enables arbitrary code execution within GRUB2 by modifying the contents of this file to ensure that attack code is run before the operating system is loaded.

Taking advantage of the vulnerability would first require attacks to gain elevated privilege, but once inside an attacker would be able to exploit it to further escalate these privileges and gain persistence on the device outside of the control of Secure Boot.

Mitigating the issue will require coordinated efforts from a variety of entities, affected open-source projects, Microsoft and the owners of affected systems, Eclypsium said.

This will involve updates to GRUB2 to address the vulnerability, as well as Linux distributions and other vendors using GRUB2 updating their installers, bootloaders and shims. These will need to be signed by the Microsoft Third Party UEFI CA.

But this is expected to be a slow and complex process that in the meantime will leave systems at risk.

In the meantime, Eclypsium is advising enterprises to immediately start monitoring the contents of bootloader partitions for unexpected activity.

SHA-1 Windows content to be retired

Meanwhile, Microsoft has announced plans to pull all content that is Windows signed for Secure Hash Algorithm 1 (SHA-1), rather than SHA-2, from the Microsoft Download Centre from 3 August.

The company stopped using SHA-1 to authenticate Windows operating system updates following the discovery of vulnerabilities in the algorithm back in February 2016. Google cryptographers disclosed a practical technique for exploiting the vulnerabilities a year later.

Microsoft dropped support for SHA-1 from both Edge and Internet Explorer later that year, with other major software developers also abandoning the technology for its more secure successor. Microsoft also stopped providing Windows updates to devices without SHA-2 support in August last year.

“SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks or perform man-in-the-middle attacks,” Microsoft said in a statement.

But the company did not reveal whether it intends to replace the legacy Microsoft software using SHA-1 with SHA-2 alternatives.

Image credit: ©stock.adobe.com/au/Brian Jackson