Eclypsium, a company that specializes in enterprise security solutions, revealed a new vulnerability that allows attackers to gain near-total control of WIndows or Linux systems. The company says that billions of devices are vulnerable, like systems ranging from laptops, desktop PCs, servers, and workstations, to other types of devices, like special-purpose equipment used in industrial, healthcare, financial, and other industries. The announcement comes as part of a coordinated industry-wide disclosure.
The attack exposes a vulnerability in the UEFI Secure Boot framework that normally prevents unauthorized access to the system during boot time. By compromising Secure Boot, attackers can then use malicious UEFI bootloaders to gain unfettered access and control of the system. Luckily, this attack requires elevated privileges to exploit (but not physical access), which means it would be hard for outside entities to attack a system without some level of insider knowledge or having already gained access to credentials through other means.
However, once compromised, the system appears to operate as normal even though malware has complete access to the system and OS. The malicious code then resides in the bootloader, and thus will persist even after re-installing the operating system. The vulnerability (CVE-2020-10713) has been assigned a CVSS rating of 8.2, meaning attackers can exploit the vulnerability to gain near-total access to a device.
UEFI Secure Boot is an industry standard that protects almost all servers and PCs from attacks during the system boot-up process, and all systems equipped with Secure Boot are impacted - even if the feature isn't enabled.
Secure Boot uses cryptographic signatures to verify each type of code that is allowed to run during the boot up process. The GRUB2 (Grand Unified Bootloader) handles loading the system and transferring control to the OS during boot time, and if this process is compromised, attackers can gain full control of the system.
As a basic explanation (read here for technical deep dive), the BootHole attack exploits a buffer overflow vulnerability in the GRUB2 configuration file, which is a text file that isn't protected like other files and executables. This allows for arbitrary code execution within GRUB2, and thus allows the attacker to swap in malicious bootloaders that allow attackers full access to the system.
The announcement comes as part of a coordinated disclosure with OS vendors, computer manufacturers, and CERTs, many of which Eclypsium says will release individual announcements today. Those companies include Microsoft, Oracle, Red Hat, Canonical (Ubuntu), SuSE, Debian, Citrix, VMware, and a spate of various OEMs and software vendors.
The company projects the vulnerability will take some time to be patched for all systems, with various entities announcing their own schedules for patch releases. Per the company:
"Mitigation is complex and can be risky and will require the specific vulnerable program to be signed and deployed, and vulnerable programs should be revoked to prevent adversaries from using older, vulnerable versions in an attack. The three-stage mitigation process will likely take years for organizations to complete patching."