Security researchers from Eclypsium have published an attack called BootHole today. This attack requires root access to the bootloader used in Linux operating systems, GRUB2. It bypasses normal Secure Boot protections to persistently install malicious code which cannot be detected by the operating system.
Given the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center and personal device scenarios, unless these systems are already compromised by another known attack. However, it does create an exposure when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode. These are scenarios which Secure Boot was intended to protect against.
SUSE has released fixed grub2 packages which close the BootHole vulnerability for all SUSE Linux products, and is releasing corresponding Linux kernel packages, cloud image and installation media updates. Please follow the normal update procedure to install them. Should you be unsure about your company’s procedure, please consult your local system administrator.
To ensure that sophisticated attackers cannot reinstall old versions of grub2, software and hardware vendors are working together. Over time, vendors are going to update cryptographic keys in the BIOS for new computers, as well as to provide so-called DBX Exclusion List updates for existing computers. These can prevent unpatched systems and old installation media from starting. Please make sure you have installed all relevant bootloader and operating system updates for BootHole before installing a BIOS or DBX Exclusion List update to ensure continuity.
- The SUSE TID
- Research paper “There is a hole in the boot” from Eclypsium
- Microsoft ADV200011 Guidance for Addressing Security Feature Bypass in GRUB