GRUB2 Boothole Buffer Overflow Vulnerability (CVE-2020-10713)

Posted by Author Qualys on Posted on

On 29th July 2020, a team of security researchers disclosed a high priority bug in GRUB2(GRand Unified Bootloader version 2) , affecting billions of Linux and Windows systems using secure boot. CVE-2020-10713 is assigned to this buffer overflow vulnerability, termed as “Boothole”.

Boothole

Secure Boot is designed to verify all the firmware of the computer are trusted. But CVE-2020-10713 results in total pwn of secure boot in systems using GRUB. The bug resides in GRUB’s inadequate error handling.

When the system boots up, firmware loads the first-stage bootloader (shim), and Shim loads the GRUB binary. When GRUB tries to load any requires configurations, located in grub.cfg file, GRUB uses a language parser to read the config file. If the text in the config file is too large, the flex engine will throw the error and the processing function will exit or be halted.  But instead of throwing the error, flex engine proceeds with executing the function.

Attackers can take the advantage of this bug and can put massive strings in grub.cfg file, which will be copied into the memory by parser, leading buffer overflow. Security Researchers at Eclypsium published the detailed vulnerability report There’s a hole in the boot.

Additional Vulnerabilities in GRUB2

After initial vulnerability report by Eclypsium team, number of additional vulnerabilities were discovered by the Canonical security team:

  • CVE-2020-14308: Heap-based buffer overflow in grub_malloc
  • CVE-2020-14309: Integer overflow in grub_squash_read_symlink can lead to heap-based overflow
  • CVE-2020-14310: Integer overflow read_section_from_string can lead to heap-based overflow
  • CVE-2020-14311: Integer overflow in grub_ext2_read_link can leads to heap-based buffer overflow
  • CVE-2020-15705: Failure to validate kernel signature when booted without shim
  • CVE-2020-15706: Use-after-free in grub_script_function_create
  • CVE-2020-15707: Integer overflow in initrd size handling

Exploitation

To exploit this vulnerability, attackers need root/admin access. PoC is not public yet as this affects large number of systems.

Affected Vendors

All operating systems which uses GRUB2 with Secure Boot are affected. As per Eclypsium’s report following vendors are confirmed to be affected:

  • Microsoft
  • UEFI Security Response Team (USRT)
  • Oracle
  • Red Hat (Fedora and RHEL)
  • Canonical (Ubuntu)
  • SuSE (SLES and openSUSE)
  • Debian
  • Citrix
  • VMware
  • Various OEMs
Mitigation

Microsoft has published advisory to address security feature bypass in GRUB.

Other affected vendors will provide updates for GRUB2.

Detection

Qualys customers can scan their network with QID’s 238518 ,238517 and 238511 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References

https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

https://github.com/eclypsium/BootHole

https://ubuntu.com/blog/mitigating-boothole-theres-a-hole-in-the-boot-cve-2020-10713-and-related-vulnerabilities

https://access.redhat.com/security/cve/CVE-2020-10713

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass

https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10713

https://kb.vmware.com/s/article/80181

Leave a Reply

Your email address will not be published. Required fields are marked *