New BootHole Vulnerability Affects Billions of Devices, Compromises GRUB2 Boot-loader [Patches now making RedHat and CentOS systems not bootable]

[Pickles von Brine]

 

Quote

BootHole exploits a design flaw with two of the key components of GRUB2, bison, a parser generator, and flex, a lexical analyzer. Eclypsium discovered that these two can have "mismatched design assumptions" that can lead to buffer overflow. This buffer overflow can be exploited to execute arbitrary code. Devices with modern UEFI and Secure Boot enabled typically wall off even administrative privileged users off from tampering with boot processes, however, in case of BootHole, the boot-loader parses a configuration file located in the EFI partition of the boot device, which can be modified by any user (or malicious process) that has admin privileges. Thankfully, patched versions of GRUB2 are already out, and the likes of SUSE have started distributing it for all versions of SUSE Linux. Expect practically every other *nix vendor, server manufacturer, to release patches to their end-users. Find a technical run-down of the vulnerability in this PDF by Eclypsium.

 

Quote

As for Microsoft, the company acknowledged the issue in a security advisory, as did other affected parties such as HP, VMware, Debian, Canonical, Red Hat, and SUSE. The Eclypsium researchers noted that only one vendor performs a signature check on the main GRUB2 configuration file, meaning there are potentially billions of systems affected by BootHole.

Mitigating the issue will be particularly hard, as this will be a multi-stage process that starts with patching GRUB2. Then makers of Linux distributions need to update their installers, bootloaders, disaster recovery images, and shims. Then those shims will need to be signed by the Microsoft Third Party UEFI Certificate Authority, while the old ones need to be revoked in firmware on all affected systems. This has led to boot failures in the past, as manufacturers have different implementations of this process.

Source
Second source
This is one nasty thing. I don't really understand how it exactly works, but regardless. This runs in secure boot too! Since Grub2 is so popular for open source and linux sytsems, it is unsurprising to see a vulnerability, but one that is like this is a bit surprising. Luckily there is a patch for it. So, thank god for that.  However, based on the info above. It looks like this is going to be an on going process. 


 

Quote

Unfortunately, Red Hat's patch to GRUB2 and the kernel, once applied, are leaving patched systems unbootable. The issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and it may affect RHEL 8.1 and 7.9 as well. RHEL-derivative distribution CentOS is also affected.

Red Hat is currently advising users not to apply the GRUB2 security patches (RHSA-2020:3216 or RHSA-2020:3217) until these issues have been resolved. If you administer a RHEL or CentOS system and believe you may have installed these patches, do not reboot your system. Downgrade the affected packages using sudo yum downgrade shim\* grub2\* mokutil and configure yum not to upgrade those packages by temporarily adding exclude=grub2* shim* mokutil to /etc/yum.conf.

If you've already applied the patches and attempted (and failed) to reboot, boot from an RHEL or CentOS DVD in Troubleshooting mode, set up the network, then perform the same steps outlined above in order to restore functionality to your system.

Patched BootHole systems now not booting

[Hairless Monkey Boy]

Please patch my BootHole. 

[Senzelian]

Great. All our PBXs are f*cked.

Let's put this in the "I'm too lazy to update and the problem will hopefully go away by itself"-category.

[Pickles von Brine]

3 hours ago, Senzelian said:

Great. All our PBXs are f*cked.

Let's put this in the "I'm too lazy to update and the problem will hopefully go away by itself"-category.

Yeah I can see this being an annoying issue and people cry wolf when their stuff is compromised. Did Experion have this problem? Didn't update apache, paid dearly for it?

[Salv8 (sam)]

4 hours ago, HairlessMonkeyBoy said:

Please patch my BootHole. 

patching in progress.

[CarlBar]

5 hours ago, HairlessMonkeyBoy said:

Please patch my BootHole. 

 

I think it's called toilet paper.

[Hairless Monkey Boy]

46 minutes ago, Salv8 (sam) said:

patching in progress.

Don't stop.