23 August 2020
CVE-2020-10173 (aka BootHole(1)) got much attention in the media in the past weeks because this flaw in GRUB 2 may be used to tamper the boot process. But the worst is yet to come. “This flaw also allows the bypass of Secure Boot protections.”(2)
From the description in the NIST NVD we learn: “In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining [a] physical access, [b] obtain the ability to alter a pxe-boot network, or have [c] remote access to a networked system with root access.”(2)
Options [b] and [c] do not really matter. Once an attacker gets the opportunity to modify the network boot capabilities of your system, or has root access to your system, the game is over. In this case, exploiting BootHole is rather counterproductive because the probability of detection goes up.
But BootHole becomes a serious issue if an attacker gets physical access (option [a]) to an unpatched system. These so-called Evil Maid attacks work even on secured Linux systems because the EFI (FAT) partition is easy to modify after the computer is booted from a Linux Live System.
In the case, you followed the industry best practices and secured the BIOS of your computer with a password, the attacker must extract the hard disk and run the change on another system. This is not uncommon when it comes to espionage, terrorism, or sabotage.
But the group of persons in focus of such activities is already vulnerable against Evil Maid attacks. So, the additional risk that stems from BootHole is neglectable. No need to panic!
Nevertheless, install the patch as soon as possible. And secure the BIOS of your computer with a password.
But the best advice is: Don’t leave your devices unattended. Even the hotel safe is no safe place.
My preferred solution to Evil Maid attacks, the lightweight version, is Fedora Linux on a micro SD-Card.
Have a great week.
- Eclypsium. There’s a Hole in the Boot [Internet]. Eclypsium. 2020 [cited 2020 Aug 18]. Available from: https://eclypsium.com/wp-content/uploads/2020/08/Theres-a-Hole-in-the-Boot.pdf
- NIST Information Technology Laboratory. NVD – CVE-2020-10713 [Internet]. NATIONAL VULNERABILITY DATABASE. 2020 [cited 2020 Aug 23]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-10713