Billions of devices running modern operating systems such as Linux and Windows could be at risk from a wide-ranging new security vulnerability, new research as found.
Security firm Eclypsium has discovered a EUFI Secure Boot vulnerability that allows unfettered access to affected systems. Virtually all modern servers, client PCs, and other PC-based equipment use UEFI, an interface between an OS and platform firmware. All versions of UEFI feature Secure Boot framework specifically designed to protect unauthorized access to the machine during boot-up process. The framework relies on cryptographic keys to authenticate the code that is allowed to execute when the system starts up.
The key process that executes the specified OS loader and transfers controls to the OS is called GRUB2 (Grand Unified Bootloader). If this process is compromised, the perpetrators can control how the OS is loaded and undermine all higher-layer security controls.
Eclypsium discovered a weakness in the way GRUB2 parses its configuration file that lets attackers to execute arbitrary code that bypasses signature verification and install persistent and stealthy bootkits or malicious bootloaders to gain control over a system. While the attackers can successfully get unfettered control over a machine as well as all the secrets it may hold, the computer may operate as usual and admins may not know that it is compromised until it is too late.
Exploiting the GRUB2 vulnerability is not exactly easy as it requires high-level privileges that can be obtained by an insider, or from an insider using various means. Yet, the potential advantages a near-total access can bring look very motivating.
On paper, the fix seems pretty straightforward: fix the GRUB2 vulnerability; update installers/bootloaders/shims of Linux distributions; signs new shims by the Microsoft 3rd Party UEFI CA; update operating systems. Meanwhile, given the difficulty of ecosystem-wide update/revocation, fixing the vulnerability for all systems and organizations on the planet will take quite some time, years, to be exact.
“Full mitigation of this issue will require coordinated efforts from a variety of entities: affected open-source projects, Microsoft, and the owners of affected systems, among others,” a statement from Eclypsium said. “However, full deployment of this revocation process will likely be very slow.”