CVE-2020-10713 – GRUB 2 boot loader buffer overflow – aka BootHole

Published: 2020-07-29
MITRE CVE-2020-10713

GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run arbitrary code. GRUB 2 is the default boot loader for most popular GNU/Linux distributions, but it is independent of any OS so this vulnerability can also be exploited against Windows systems.

Some might say that game is over anyway if an attacker has administrative privileges or physical access, but this attack method provides a way for an attacker to establish persistence on a system perhaps invisible for an OS and its endpoint security platform.

RedHat reports “In CVE-2020-10713, an attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB.”

And for remediation “Red Hat recommends all customers to update their grub2 packages. Red Hat customers using Secure Boot need to update kernel, fwupdate, fwupd, shim and dbxtool packages containing newly validated keys and certificates. Users running Secure Boot with Red Hat Enterprise Linux 8 need to take additional steps to boot into previously released RHEL 8 kernels after applying the grub2 package updates.”

This vulnerability has a CVSS Base score of 8.2 with the CVSS vectors CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Basefarm is currently evaluating this vulnerability and its consequences for the continued secure operations of our customers and our own systems. Internally this is tracked in BF-VLN-2089662. At this early point we refer to the individual vendors for more information:

Microsoft ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Red Hat Boot Hole Vulnerability – GRUB 2 boot loader – CVE-2020-10713

This vulnerability was discovered and responsibly disclosed by Eclypsium, see their in depth technical writeup “There’s a Hole in the Boot”

Update 2020-07-31: There are some reports about the RHEL grub2 security update rendering systems unbootable. Patching for vulnerabilities IS important, but doing so in a responsible manner is also a priority.