SUSE addresses another grub2 UEFI secure boot security exposure

Various security researchers and the grub2 team have published more security issues in grub2 today, which can be used to bypass the UEFI secure boot chain.
These security issues have the same scope as the BootHole issues from 2020. This attack requires root access to the bootloader used in Linux operating systems, GRUB2. It bypasses normal Secure Boot protections to persistently install malicious code which cannot be detected by the operating system.

Given the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center and personal device scenarios, unless these systems are already compromised by another known attack. However, it does create an exposure when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode. These are scenarios which Secure Boot was intended to protect against.

SUSE has released fixed grub2 packages which close the vulnerabilities for all SUSE Linux products, and is releasing corresponding Linux kernel packages, cloud image and installation media updates. Please follow the normal update procedure to install them. Should you be unsure about your company’s procedure, please consult your local system administrator.

To ensure that sophisticated attackers cannot reinstall old versions of grub2, software and hardware vendors are working together. Over time, vendors are going to update cryptographic keys in the BIOS for new computers, as well as to provide so-called DBX Exclusion List updates for existing computers. These can prevent unpatched systems and old installation media from starting. Please make sure you have installed all relevant bootloader and operating system updates for BootHole before installing a BIOS or DBX Exclusion List update to ensure continuity.

References:

• SUSE TID 000019892
• SUSE CVE-2020-25632
• SUSE CVE-2020-25647
• SUSE CVE-2020-27749
• SUSE CVE-2020-27779
• SUSE CVE-2020-14372
• SUSE CVE-2021-20225
• SUSE CVE-2021-20233

If you have any questions or concerns, please reach out to your SUSE contact. Security and reliability continue to be top priorities for SUSE because they are top priorities for our customers and partners. And as always, customers and partners come first.