Cybersecurity company Eclypsium has discovered a flaw called BootHole in a boot system used with almost all versions of Linux. This allows a virus to bypass Secure Boot and take control of the machine. It can also affect computers with Windows.
A new flaw discovered by researchers from the cybersecurity company Eclypsium risks bringing the big comeback of bootkits . This threat called BootHole allows a virus to take root in a computer and load itself before the operating system even starts . Called a bootkit, the malware thus gains full access to the machine, and is much more difficult to detect than a regular virus. The flaw is in the GRUB2 bootloader (or ” boot loader “) that comes with almost all versions of Linux . However, thecomputers that run Windows are also targeted.
When the computer is turned on, the motherboard firmware , called UEFI on most recent devices, loads the bootloader , which in turn initiates the operating system to boot. UEFI includes a secure boot tool, called Secure Boot , which checks the integrity of the bootloader code to ensure that it is a certified version that is safe for the computer. Most systems rely on a database of certificates signed by Microsoft.
The flaw is accessible via an unverified configuration file
The GRUB2 bootloader loads its parameters from a separate file – grub.cfg – which is not verified. It is therefore possible to insert a specific code that exploits the flaw discovered in the program. Even with an update of GRUB2, all previous versions containing the vulnerability remain signed, and therefore accepted by systems. It is therefore sufficient to replace the bootloader with a version containing the flaw. This new threat also affects computers running Windows even if they are not using GRUB2. It is enough to install GRUB2 at startup without the user’s knowledge, and it will be validated by UEFI Secure Boot.
In that case, wouldn’t it be enough for Microsoft to simply update the list of allowed versions? Unfortunately not, because to avoid copyright issues when modifying GRUB2, many OS vendors add their own software layer which is loaded beforehand. It is this layer that is authenticated by a Microsoft certificate, and which in turn verifies the integrity of GRUB2. Each editor must, therefore, update their code.
A flaw that is only accessible on an already compromised machine
The good news is that this flaw does not make the machine vulnerable to a direct attack from the Internet. Accessing the bootloader requires administrator access on the machine. The computer must therefore already be infected with another malware that will be responsible for installing GRUB2 or simply editing its configuration file.
However, full resolution may take a long time, as it requires the intervention of different actors. A new version of GRUB2 will need to be released and installed, along with the software layers added by the vendors of the systems. All these elements must then be signed with a Microsoft certificate.
The operating systems will need to be updated, as well as the firmware of the affected motherboards. In addition, updates to the bootloader and especially to the UEFI are not without risk, as a single error can prevent the computer from starting. In the meantime, make sure you have up-to-date antivirus software is even more crucial than ever.