In April 2020, security researchers at Eclypsium discovered a buffer overflow vulnerability in the Linux bootloader GRUB2 that it calls BootHole. CVE-2020-10713 has a high CVSS score of 8.2 and is centered around bypassing UEFI, the technology all modern computers use to boot an operating system. This could allow an unauthenticated attacker to gain persistence on a system at a very low level. The vulnerability was responsibly disclosed and details released in late July in conjunction with fixes.
Although the vulnerability directly affects and exists in GRUB2, the standard bootloader for Linux, this vulnerability can be used to infect Windows systems. Furthermore, full mitigation will be difficult because it will require both a software update from the operating system vendor and a firmware upgrade from the hardware vendor.
The successful exploitation of CVE-2020-10713 results in arbitrary code execution during the boot process. This allows an attacker to bypass the protections in UEFI to ensure that only trusted code executes during the boot process, when the system has no other defenses available.
In order to exploit BootHole, the attacker needs to be on the system and be capable of installing a bootkit or a malicious bootloader in order to give them access to the device, which is part of the reason for the low CVSS score. However, an attacker in position to exploit BootHole could use it to establish persistence that will be extremely difficult to detect and eradicate.
BootHole is most convenient to exploit on Linux systems, but since GRUB2 is capable of booting Windows, an attacker could still use BootHole to establish persistence on a Windows system by overwriting the bootloader and replacing it with a vulnerable version of GRUB along with a desired payload.
Full mitigation of BootHole requires new bootloaders to be signed and deployed, and vulnerable bootloaders will need to be revoked in the system firmware to prevent adversaries from using the older, vulnerable versions in an attack. This makes this vulnerability more difficult to eradicate than the usual vulnerability that simply requires applying a patch.
- Qualys has released a total of 12 QIDs to detect this vulnerability. The QIDs are 173771, 173770, 173769, 173768, 197967, 177969, 177966, 256935, 256934, 158696, 158695, and 158694.
- Tenable has released a total of 23 plugins to detect this vulnerability. You can find the specific plugin IDs at https://www.tenable.com/plugins/search?q=%22CVE-2020-10713%22.
Due to the complexity of this vulnerability you can expect these detections to evolve in the coming weeks, and there is potential for additional detections to emerge over time.
Deepwatch will continue to monitor the BootHole vulnerability and integrate detections into its respective customer offerings as further detection capabilities become available. Please contact your squad lead if you have further questions.
On Linux systems, at time of writing the only way to manage the risk is to implement the patch for GRUB2 that has been provided by the Linux vendor in question. All of the major Linux distributors have released updates to address the issue. The initial patches were problematic, so test in a lab environment before deploying enterprise-wide.
Microsoft will be updating Windows in a future Windows update to revoke older vulnerable bootloaders to protect Windows from this attack. Microsoft did not release an out-of-band update for BootHole.
Complete mitigation will also require a firmware update from your hardware vendor to update the UEFI code used to check for valid bootloaders.
After updating systems it will be necessary to take new images for disaster recovery purposes, to ensure any systems rebuilt during a disaster recovery process remain bootable.