A new vulnerability has been discovered in Secure Boot that affects most Linux distributions and Windows devices that use the UEFI specification during boot. The vulnerability, called BootHole, was found by an enterprise security research firm, Eclypsium (spotted by Tom’sHardware). The flaw is specifically present in the GRUB2 file in Secure Boot and can be used by attackers to attain “near-total control” of the victim’s system.
The firm says that the problem “extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority”, therefore putting a huge number of Windows desktops, laptops, workstations, servers, and other special-purpose equipment that use the technology are affected.
The vulnerability is especially critical since it affects the boot process, and any malicious code that can execute before the OS is loaded can circumvent multiple security controls, which can result in the attacker gaining control of the system. Additionally, the research firm adds that the attackers can modify the GRUB file – a text file that is not signed cryptographically like other executables in the boot process – and run malicious code before the operating system is loaded, giving them persistent access to the device.
Eclypsium says that it has “coordinated the responsible disclosure of this vulnerability with a variety of industry entities, including OS vendors, PC manufacturers, and CERTs”. The company is holding a webinar on August 5 to talk about mitigating the vulnerability. It says that it expects to see advisories and announcements from Microsoft, UEFI Security Response Team (USRT), Oracle, Canonical, Debian, and other impacted parties.
The research firm believes that full mitigation of BootHole will require “coordinated efforts from a variety of entities” and that it expects deployment to be slow. For now, the recommendations for organizations include monitoring UEFI bootloaders and firmware, verifying UEFI configurations, testing recovery capabilities, and more. You can head here to read the entire announcement that provides information about the vulnerability in detail.