BootHole vulnerability puts Windows, Linux systems at risk
BootHole can be used to gain arbitrary code execution during the boot process, and install persistent and stealthy bootkits or malicious bootloaders that could give them almost total control over the target device.
The vulnerability affects all systems using Secure Boot, even ones that do not utilise GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux operating system is affected.
Moreover, GRUB2 supports other operating systems, kernels and hypervisors such as the popular Xen hypervisor.
All Windows devices that use Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority are also affected, meaning the majority of laptops, desktops, servers and workstations are vulnerable, as are network appliances and other special-purpose equipment used in industrial, healthcare, financial and other industries.
According to Eclypsium, the boot process is one of the most fundamentally important aspects of security for any device. “It relies on a variety of firmware that controls how a device’s various components and peripherals are initialised and ultimately coordinates the loading of the operating system itself. In general, the earlier code is loaded, the more privileged it is.” If this process is compromised, researchers said malefactors would be able to control how the operating system is loaded and subvert all higher-layer security controls.
Recent research has found ransomware in the wild that employs malicious EFI bootloaders as a way to hijack control of machines at the time of boot. In the past, threat actors have used malware that tampers with legacy OS bootloaders, including Petya/NotPetya, APT41 Rockboot, LockBit, FIN1 Nemesis, MBR-ONI, and Rovnix.
Eclypsium co-ordinated the disclosure of this vulnerability responsibly, in conjunction with a variety of industry entities, including OS vendors, computer manufacturers, and CERTs.
In order to mitigate this threat, new bootloaders will need to be signed and deployed, and vulnerable bootloaders revoked to prevent threat actors from using older, vulnerable versions in an attack.
More than likely this will be a long process and it will take a considerable amount of time for organisations to complete patching, the company concludes.