News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • ‘BootHole’ attack impacts Windows and Linux

    Posted on CADesertRat Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories ‘BootHole’ attack impacts Windows and Linux

    • This topic has 19 replies, 12 voices, and was last updated 1 month ago.
    Viewing 13 reply threads
    • Author
      Posts
      • #2284017 Reply
        CADesertRat
        AskWoody Plus

        Looks like this impacts Windows, all Linux, and many OEM’s.

        ZDnet

         

        Details about a new vulnerability in a core component of the Secure Boot process have been published today.

        The vulnerability, codenamed BootHole, allows attackers to tamper with the boot-loading process that precedes starting up the actual operating system (OS).

        This process relies on components known as bootloaders that are responsible for loading the firmware of all computer hardware components on which the actual OS runs.

        BootHole is a vulnerability in GRUB2, one of today’s most popular bootloader components. Currently, GRUB2 is used as the primary bootloader for all major Linux distros, but it can also boot and is sometimes used for Windows, macOS, and BSD-based systems as well.

        Don't take yourself so seriously, no one else does 🙂
        4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

        12 users thanked author for this post.
      • #2284027 Reply
        Microfix
        AskWoody MVP

        Which relates to kb4524244 being removed by MSFT back in february 2020.

        Info from https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

        Recommendations

        1. Right away, start monitoring the contents of the bootloader partition (EFI system partition). This will buy time for the rest of the process and help identify affected systems in your environment. For those who have deployed the Eclypsium solution, you can see this monitoring under the “MBR/Bootloader” component of a device.

        2. Continue to install OS updates as usual across desktops, laptops, servers, and appliances. Attackers can leverage privilege escalation flaws in the OS and applications to take advantage of this vulnerability so preventing them from gaining administrative level access to your systems is critical. Systems are still vulnerable after this, but it is a necessary first step. Once the revocation update is installed later, the old bootloader should stop working. This includes rescue disks, installers, enterprise gold images, virtual machines, or other bootable media.

        3. Test the revocation list update. Be sure to specifically test the same firmware versions and models that are used in the field. It may help to update to the latest firmware first in order to reduce the number of test cases.

        4. To close this vulnerability, you need to deploy the revocation update. Make sure that all bootable media has received OS updates first, roll it out slowly to only a small number of devices at a time, and incorporate lessons learned from testing as part of this process.

        5. Engage with your third-party vendors to validate they are aware of, and are addressing, this issue. They should provide you a response as to its applicability to the services/solutions they provide you as well as their plans for remediation of this high rated vulnerability.

        Eclypsium has powershell and bash scripts available which can be used to detect bootloaders that are being revoked by this dbxupdate.

        wow, seems like a potentially foul vulnerability, I wonder if removing the cmos battery for a long period would kill it off if infected, as the malware resides in separate places in the motherboard, or whether it would regenerate upon system start after the cmos battery is replaced?

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
        4 users thanked author for this post.
      • #2284048 Reply
        OscarCP
        AskWoody Plus

        CADesertRat wrote: “… but it [GRUB 2] can also boot and is sometimes used for Windows, macOS, and BSD-based systems as well.

        In the case of Macs, this problem seems to affect only people that, for some reason, have to use GRUB2 that, I understand, is third-party software and, if so, not a component of the standard Mac’s bootstrapping system. If that is correct, then most Mac users, myself included, may never have a reason for using GRUB2 in their Macs. Am I correct? Thanks to anyone that clarifies this for me and other Mac users.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #2284051 Reply
        Microfix
        AskWoody MVP

        Well, just this minute, I got a Ubuntu patch update:

        GRUB is a portable, powerful bootloader. This version of GRUB is based on a cleaner design than its predecessors, and provides the following new features:

        – Scripting in grub.cfg using BASH-like syntax.
        – Support for modern partition maps such as GPT.
        – Modular generation of grub.cfg via update-grub. Packages providing GRUB
        add-ons can plug in their own script rules and trigger updates by invoking
        update-grub.
        – VESA-based graphical mode with background image support and complete 24-bit
        color set.
        – Support for extended charsets. Users can write UTF-8 text to their menu
        entries.
        This is a dependency package for a version of GRUB that has been built for use with the traditional PC/BIOS architecture. Installing this package indicates that this version of GRUB should be the active boot loader.

        all for :
        CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707,CVE-2020-15705

        WoW that was quick! 😉

        grub2

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
        Attachments:
        4 users thanked author for this post.
        • #2284208 Reply
          Ascaris
          AskWoody_MVP

          I received a GRUB security update yesterday (July 29, 2020) on Neon (Ubuntu 18.04 base). I didn’t know exactly what it was for, but I do now! Can’t beat the speed of a security update that arrives before the warning of the vulnerability.

          Group "L" (Fedora 32 Linux w/ KDE Plasma).

          2 users thanked author for this post.
      • #2284063 Reply
        firemind
        AskWoody Lounger

        Forbes has interesting information on the possible impact of Boothole.

        My Linux Mint just got two updates – marked as software updates  (not security) and labelled as “medium” importance.

        grub2-1

        Attachments:
        3 users thanked author for this post.
      • #2284067 Reply
        Fred
        AskWoody Plus

        brrr, read the Microsoft part …..
        https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011

        ~ ~ ~
        3 users thanked author for this post.
      • #2284183 Reply
        Paul T
        AskWoody MVP

        If you don’t run Linux / dual boot Windows with Linux, there is nothing for Windows users to be concerned about.

        cheers, Paul

      • #2284201 Reply
        anonymous
        Guest

        Not true Paul, one only need admin access to install GRUB2 (much like to edit the config in Linux).

        • #2284210 Reply
          Ascaris
          AskWoody_MVP

          From my reading, it sounds like Paul’s right here. There can be non-Linux related reasons to use GRUB to boot on a system with Windows, but it’s not by any means common.

          If you mean that it would be possible to install GRUB (quietly, without alerting the user) specifically to bypass secure boot before chainloading Windows… well, that’s certainly not described in the ZDNet article, and I don’t know how feasible it is.

          If you’re not using secure boot, this does not affect you even if you are using GRUB, though it only means that the lowered security of bypassing secure boot with this exploit is the normal situation (with all that implies).

          Group "L" (Fedora 32 Linux w/ KDE Plasma).

      • #2284213 Reply
        doriel
        AskWoody Lounger

        I am still trying to comprehend that.

        In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue

        Sounds to me, that every device using UEFI SecureBoot is vulnerable, including Windows machines.

        Isnt MS Azure linux-based too? Does this mean something?

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        • #2285814 Reply
          mn–
          AskWoody Lounger

          For that to be true, it requires that a vulnerable, signed version of GRUB2 be installable into an existing system. As things stand, those are readily available from old installer images and such.

          Therefore fixing this will require revoking keys, so that the vulnerable versions stop being accepted by Secure Boot.

          And THAT might mean that old Windows installers and such also stop being accepted.

          1 user thanked author for this post.
      • #2284216 Reply
        Microfix
        AskWoody MVP

        I think the Windows side of this is related to WSL /WSL2
        (Windows Subsystem for Linux) which is an optional feature but, is required when installing any Linux distro using the MS Virtual Machine Platform.
        I expect 3rd party VM’s will also upgrade their applications eg: VMware, Oracle Virtualbox to mitigate the issue.

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
      • #2284224 Reply
        bbearren
        AskWoody MVP

        New flaw neuters Secure Boot, but there’s no reason to panic. Here’s why

        “But there are some major catches

        The severity of the vulnerability, however, is offset by a few things. First, the attacker must have either administrative rights over the computer or physical access to the machine. Administrator-level control is increasingly hard to gain on modern OSes because of major advances they’ve made to block exploits. Physical access may be easier during border crossings or similar moments when a user briefly loses physical possession of a computer. But the requirement is steep in most other scenarios, making it unlikely many users are affected. What’s more, physical possession greatly restricts the scalability of attacks.

        Two other factors that make Boot Hole less scary: attackers who already have administrative or physical control of a computer already have plenty of other ways to infect it with advanced and stealthy malware. Furthermore, there are several other known techniques for bypassing Secure Boot.”

        I’m not overly concerned.  I always run as a Standard user, and “Ain’t nobody here but us chickens.”  No one else has physical access.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        3 users thanked author for this post.
      • #2284655 Reply
        CADesertRat
        AskWoody Plus

        BootHole fixes causing boot problems across multiple Linux distros

        ZDnet

         

         

        As many experts anticipated, patches for the BootHole vulnerability in the GRUB2 bootloader that is used by all major Linux distributions are causing problems and preventing some users from booting their systems.

        While the list of affected distros only included Red Hat yesterday, it has now expanded to include users of Ubuntu [1, 2, 3], Debian, CentOS [1, 2], and Fedora.

        Microsoft security researcher Kevin Beaumont, also reports issues in cloud environments, namely where “a bug in cloud-init is causing problems across major cloud providers with Grub, such as Digital Ocean and Azure, having the same impact: patched systems then fail to boot.”

        Don't take yourself so seriously, no one else does 🙂
        4 Win 10 Pro at 1909 (3 Desktops, 1 Laptop).

        1 user thanked author for this post.
      • #2285653 Reply
        Nathan Parker
        AskWoody_MVP

        To my knowledge, Macs don’t use GRUB to boot. They boot over EFI, and Macs with T2 Chips also have Secure Boot enabled that can even disallow booting from external media.

        Plus Macs can have a firmware password set on them requiring a password before booting from any other drive besides the macOS Boot Drive (I can write an article on this if need be).

        This would mainly affect Macs with a dual boot of Linux which usually doesn’t occur since most people who happen to run Linux on a Mac use a VM instead.

        Nathan Parker

        2 users thanked author for this post.
      • #2288307 Reply
        Slowpoke47
        AskWoody Plus

        Could someone please explain in terms understandable to this non-tech user how much of a threat this invader presents, and what if any action I should take?  Running dual boot- Mint Mate 19.2 and Win7 on two machines in a home environment.  Internet access disabled in Win7.  It is our practice to install all Linux updates when presented.

        Linux Mint Mate 19.2

        3 users thanked author for this post.
        • #2288330 Reply
          Paul T
          AskWoody MVP

          Running Linux / dual booting Windows means you use grub and are vulnerable.

          The exploit requires admin / root access. If you run Linux as a non-root user you are OK. If you run Windows as non-admin you should be OK.

          I see no need to rush to patch if you are a non-root user and don’t download apps, but patching sooner is better than later with this one.

          cheers, Paul

          1 user thanked author for this post.
          • #2288346 Reply
            Ascaris
            AskWoody_MVP

            You’re vulnerable if you use GRUB and secure boot.

            If you do not use secure boot, you are no more vulnerable than before. The vulnerability is to defeat the effect of secure boot, but if you’re not using it in the first place, you’re already at the level of security that the exploit would bring you to.

            If you’re using Windows 7 on the machines in question, that means the PC is either not secure boot capable or that secure boot is not enabled, since Windows 7 does not work with secure boot. Secure boot requires UEFI, so any BIOS PC won’t have it, and some early UEFI PCs or motherboards (like my desktop) that were typically released with Windows 7 can’t perform a secure boot either. Microsoft started requiring OEMs to ship PCs with secure boot enabled starting with Windows 8.

            I’ve read that there may be some tricks you can use to get secure boot to work with 7, but that’s clearly not what we are talking about here.

            Group "L" (Fedora 32 Linux w/ KDE Plasma).

            3 users thanked author for this post.
            • #2288351 Reply
              Slowpoke47
              AskWoody Plus

              We are not using Win7- originally when adding Mint, just chose the dual boot option to keep Win7 available as a starting point in case I fouled up the Mint install and needed Internet access to try again (BTW, that didn’t happen).  On the few instances that we need a file from 7, we get to it via the Mint directory.

              Linux Mint Mate 19.2

              1 user thanked author for this post.
            • #2288562 Reply
              mn–
              AskWoody Lounger

              I’ve read that there may be some tricks you can use to get secure boot to work with 7, but that’s clearly not what we are talking about here.

              … Are you sure about that? Because that’s exactly the kind of thing the Grub2 shim was used for.

              As in, fixing this issue might cause at least some of those tricks to stop working.

    Viewing 13 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: ‘BootHole’ attack impacts Windows and Linux

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.