Monthly Archives: August 2020

The Boothole Vulnerability – Need to Panic?

23 August 2020

CVE-2020-10173 (aka BootHole(1)) got much attention in the media in the past weeks  because this flaw in GRUB 2 may be used to tamper the boot process. But the worst is yet to come. “This flaw also allows the bypass of Secure Boot protections.”(2)

From the description in the NIST NVD we learn: “In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining [a] physical access, [b] obtain the ability to alter a pxe-boot network, or have [c] remote access to a networked system with root access.”(2)

Options [b] and [c] do not really matter. Once an attacker gets the opportunity to modify the network boot capabilities of your system, or has root access to your system, the game is over. In this case, exploiting BootHole is rather counterproductive because the probability of detection goes up.

Fedora32 EFI Partion

Fedora EFI Partition

But BootHole becomes a serious issue if an attacker gets physical access (option [a]) to an unpatched system. These so-called Evil Maid attacks work even on secured Linux systems because the EFI (FAT) partition is easy to modify after the computer is booted from a Linux Live System.

In the case, you followed the industry best practices and secured the BIOS of your computer with a password, the attacker must extract the hard disk and run the change on another system. This is not uncommon when it comes to espionage, terrorism, or sabotage.

But the group of persons in focus of such activities is already vulnerable against Evil Maid attacks. So, the additional risk that stems from BootHole is neglectable. No need to panic!

Nevertheless, install the patch as soon as possible. And secure the BIOS of your computer with a password.

Dell Vostro Laptop with Fedora32/EFI

Dell Vostro Laptop with Fedora Linux/EFI

But the best advice is: Don’t leave your devices unattended. Even the hotel safe is no safe place.

My preferred solution to Evil Maid attacks, the lightweight version, is Fedora Linux on a micro SD-Card.

Have a great week.

References

  1. Eclypsium. There’s a Hole in the Boot [Internet]. Eclypsium. 2020 [cited 2020 Aug 18]. Available from: https://eclypsium.com/wp-content/uploads/2020/08/Theres-a-Hole-in-the-Boot.pdf
  2. NIST Information Technology Laboratory. NVD – CVE-2020-10713 [Internet]. NATIONAL VULNERABILITY DATABASE. 2020 [cited 2020 Aug 23]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-10713

CIS Password Policy Guide – A Quantum Leap in User Experience and Security

8 August 2020

The Password Policy Guide(1) published by the Center for Internet Security (CIS) on 29 July 2020 drowned in the omnipresent noise of vulnerabilities and data breaches.

Wrongly, because the CIS guide puts an end to the commonly accepted practice of complex passwords, namely those that are easy to crack but hard to remember.

The guide recommends:

  • The use of passphrases because users will select longer, more-secure passwords.
  • Event-based password expiration with an annual change as a backstop.
  • And the use of password managers.

Especially for password managers the guide recommends:

Use of these should be actively encouraged for use with password-only authentication systems (especially if the user needs to manage access to multiple of these systems)”

And, where “feasible, using MFA instead of just a master password to gain access to the Password Manager is preferred”

Yubikey for MFA and KeePassXC

For some months now I mainly work on a Linux desktop. Unfortunately, I often must switch to Windows because of Word and Powerpoint. So, I use KeePassXC to allow easy switching between the operating systems.

My cloud account is secured with Yubikey, and so is my KeePassXC database. Works fine on Windows and Linux.

To boost user experience and password security, please give the CIS Password Policy Guide the attention it deserves.

Have a great weekend.

References

  1. White Paper: CIS Password Policy Guide [Internet]. Center for Internet Security. [cited 2020 Aug 8]. Available from: https://www.cisecurity.org/white-papers/cis-password-policy-guide/.