‘BootHole’ — an overview of GNU GRUB Vulnerabilities
A Bootloader, one of the basic components of a computer, is the first software program that runs when a computer starts. It is responsible for loading and transferring control to the operating system kernel software (Linux). The kernel, in turn, initializes the rest of the operating system.
GNU GRUB (also called GRUB2) is a Multiboot boot loader. It is part of the GNU Project that is a free operating system that allows its users to run, copy, explore and change programs’ source code freely. The “GRUB” in GNU GRUB stands for GRand Unified Bootloader.
Since GNU GRUB runs on most Linux devices, an attack vector on this system can cause a lot of harm, being a core element of the OS. Being a component that is relatively difficult to hack or exploit, vendors and GNU users, will pay very high payouts and pay close attention to researchers handling GNU.
Although only a handful of security vulnerabilities were found in the past, a few months ago, security researchers from Eclypsium found a security vulnerability in GRUB 2 that could lead to arbitrary code execution and completely compromise the system. Following Eclypsium’s findings, the Canonical security team at Ubuntu drilled deeper and found several other vulnerabilities.
CVE-2020–10713 — Buffer Overflow to Remote Code Execution
This Buffer Overflow is the most serious vulnerability found in GRUB. It affects all versions of GNU GRUB prior to version 2.06 and occurs when GRUB2 is parsing the grub.cfg file and could allow attackers to bypass the Secure Boot protections in order to load an untrusted or modified kernel. This could allow attackers to gain high-privileged and persistent access to the targeted systems.
An attacker looking to abuse this vulnerability would have to access the system. This could be done by gaining physical access, obtaining the ability to alter a pxe-boot network or have remote access to a networked system with root access.
Once an attacker gains access, he is able to execute a buffer overflow to gain arbitrary command execution. This would grant the ability to run malware inside the system, alter the boot process, directly patch the OS kernel, or execute other malicious actions. This is why this attack was ranked the critical rating of 8.2 and drew a lot of attention at the time of publication.
CVE-2020–15706 — Use After Free Vulnerability Leading to RCE
Another, though less critical vulnerability found (ranked 6.4), by the Canonical security team in GRUB versions prior to 2.04. This vulnerability allows attackers to redefine functions in grub_script_function_create while the function is already running. Thus triggering a use-after-free vulnerability that could lead to a Code Execution attack or bypassing secure boot restrictions.
CVE-2020–15705 — Secure Boot Bypass
This Secure Boot Bypass, also found by the Canonical security team in the same versions of GRUB2 (rated 6.4), occurred because GRUB2 failed to validate kernel signature when booted directly without shim which is a small library that transparently intercepts an API. This vulnerability occurs only under these circumstances and could allow attackers to bypass Secure Boot.
All of these vulnerabilities were disclosed to the relevant vendors, patched and fixes were released.
Found similar vulnerabilities in GNU GRUB? We’ll get you the best reward out there!
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD acts as your premium agent with vendors and commits to the highest offer out there and a very quick turnaround for your research and 0days.
We are constantly publishing our findings, and adding new vendors and products to our scope. If you have research you’re looking to submit or not sure how to get started, reach out today and let us be your guide.
