'BootHole' attack impacts Windows and Linux systems using GRUB2 and Secure Boot

[Flash]

'BootHole' attack impacts Windows and Linux systems using GRUB2 and Secure Boot

Microsoft, Red Hat, Canonical, SuSE, Oracle, VMWare, Citrix, and many OEMs are expected to release BootHole patches.

BootHole is a vulnerability in GRUB2, one of today's most popular bootloader components. Currently, GRUB2 is used as the primary bootloader for all major Linux distros, but it can also boot and is sometimes used for Windows, macOS, and BSD-based systems as well.
How BootHole works

The BootHole vulnerability was discovered earlier this year by security researchers from Eclypsium. The actual full technical details about the bug have been published today on the Eclypsium blog.

Researchers say BootHole allows attackers to tamper with the GRUB2 component to insert and execute malicious code during the boot-loading process, effectively allowing attackers to plant code that has full control of the OS, launched at a later point.

This type of malware is usually known as a bootkit because it lives inside bootloaders, in the motherboard physical memory, in locations separate from the actual OS, allowing it to survive OS reinstalls.

According to Eclypsium, the actual BootHole vulnerability is located inside grub.cfg, a configuration file separate from the actual GRUB2 component, from where the bootloader pulls system-specific settings. Eclypsium says that attackers can modify values in this file to trigger a buffer overflow inside the GRUB2 component when it reads the file on every OS boot.

...attackers can piggyback on the "overflowing" code from one or more grub.cfg options to execute malicious commands inside the GRUB2 component.

...a BootHole attack also works even when servers or workstations have Secure Boot enabled.

...Secure Boot is a process where the server/computer uses cryptographic checks to make sure the boot process loads only cryptographically signed firmware components.

...BootHole attack work even with Secure Boot enabled because, for some devices or OS setups, the Secure Boot process doesn't cryptographically verify the grub.cfg file, allowing attackers to tamper with its content.

...the Secure Boot process was specifically created to prevent even high-privileged admin accounts from compromising the boot process, meaning that BootHole is a major security hole in one of the IT ecosystem's most secure operations.

...every Linux distribution is impacted by this vulnerability, as all use GRUB2 bootloaders that read commands from an external grub.cfg file. ..."In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue,"

"...we believe that the majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities."

The security vendor said it expected security alerts and patches from:

Microsoft
UEFI Security Response Team (USRT)
Oracle
Red Hat (Fedora and RHEL)
Canonical (Ubuntu)
SuSE (SLES and openSUSE)
Debian
Citrix
HP
VMware
OEMs
Software vendors, including security software

Eclypsium said it expects patching to take a long while, as fixing bootloader bugs is usually a complex process due to the multitude of components and advanced cryptography involved in the process.

How does this affect Puppy running from a multisession DVD?

[foxpup]

How does this affect Puppy running from a multisession DVD?

I think NOT
Because you cannot overwrite the grub.cfg.

However, grub.cfg may not be the only way to exploit this vulnerability.

Beyond just this specific path, a number of additional places throughout the flex-generated code also expect that any calls to YY_FATAL_ERROR() never return and perform unsafe operations when that expectation is broken.

Also, shim is mentioned briefly to be affected, not only grub2;
so turn off secure boot (turn on legacy boot support)... and use legacy boot with grub4dos if you can.

[8Geee]

Some Puppy Linux OS use SysLinux (Slacko5.7 = v. 4.05, version 4.06 and up can boot NTFS)
This seems to be another alternative.

Regards
8Geee