BootHole Shows Need for Greater Scrutiny

The recent BootHole and related vulnerabilities raise the question of whether software used for critical security functions should have special scrutiny. When a security operation fails the ramifications are considerable, especially when the security process is widely distributed. Heartbleed, a critical vulnerability found in the OpenSSL library, is an example and BootHole is the most recent.

The BootHole vulnerability was discovered by Eclypsium in April 2020 but was not disclosed until July 28. It took nearly four months to remediate because many stakeholders were involved. The Eclypsium researchers found a buffer overflow in GRUB2 (GRand Unified Bootloader version 2), which is the default bootloader in most Linux OS distributions. Gaining control of a bootloader is an ultimate prize for attackers (and their malware) because it provides persistent access to a device.

“BootHole is especially dangerous because it allows for the bypassing of Secure Boot, which is designed to ensure the integrity of the boot process by controlling which software can boot on a device through signature validation,” said John Loucaides, vice president of R&D at Eclypsium. When weaponized, this vulnerability affords attackers complete control of the operating system, allowing them to load executables and drivers and bypass security measures such as anti-virus software.

Mitigating the BootHole vulnerability required coordination among many parties, including Linux distribution vendors, open source maintainers and hardware OEM. This large community updated bootloaders, installers and shims. Additionally, the components had to be signed by Microsoft, which is the designated certificate signer. The nature of the vulnerability does not allow for a single patch; rather, fully mitigating BootHole requires multiple steps that must be completed in a specific order. A National Security Agency Cybersecurity Advisory warned that “[f]ailure to ensure each step is completed before proceeding to the next step may result in an endpoint no longer being able to boot while Secure Boot is enabled.”

The interface between an operating system and platform firmware is standardized in the Unified Extensible Firmware Interface (UEFI) specification. This function is of keen interest to hackers. BootHole is a vulnerability, but in summer 2018 ESET researchers identified a rootkit attacking UEFI bootloading in the wild. Previously these rootkits were discussed in theory, but LoJax, the name given to the malware, was an actual cyberattack. Ironically, this discovery encouraged Microsoft and its hardware partners to work toward improving on Secure Boot. The new alternative is “secured-core” PCs, combining virtualization, operating system, hardware and firmware safeguards to protect systems against rootkits and firmware-based attacks.

Security Software Requires Additional Scrutiny

The lesson from Heartbleed, LoJax and BootHole is that software security features fall victim to coding errors just as all software does. “One line of code was all that was required to negate Secure Boot,” noted Eclypsium’s Loucaides.

Following Eclypsium’s initial report uncovering the BootHole GRUB2 buffer overflow vulnerability, many industry contributors including those at Microsoft, Canonical and Debian conducted deep examinations of GRUB2 security and discovered eight additional GRUB2 vulnerabilities (CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707, CVE-2020-7205) and two Linux kernel flaws (CVE-2019-20908, CVE2020-15780). Those new bugs were of medium severity while BootHole was of high severity. The discovery of additional defects illustrates that when you closely scrutinize software, you will find more errors.

The situation was summed up well by Maxwell Dulin, a security engineer at Security Innovation: “It is extremely difficult to build secure firmware and software. Code that has a major impact on the security of the system needs to be under the eyes of many investigators and researchers in order to be confident in the security of the product. Otherwise, there is a high likelihood that a huge hole exists that can allow malicious parties to compromise the system.”

Security features need to be more robust and it is possible if additional effort is afforded to security elements. All versions of GRUB2, apart from one, were vulnerable if they loaded commands from an external grub.cfg configuration file. The sole exception was because one bootable tool vendor incorporated custom code for signature verification.

Interest in hardening security may be rising. On Aug. 3 a number of major technology vendors announced the creation of the Open Source Security Foundation (OpenSSF). This collaborative foundation provides security researchers with a mechanism to address improving the security of open source software.  According to the group’s FAQ, the OpenSSF “will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. In the future, there is a plan to focus resources on the most mission-critical software identified by Harvard’s Lab for Innovation Science.”

The bottom line is the revelations brought about by the discovery of the BootHole vulnerability reconfirm that security functions need additional scrutiny.

Avatar photo

Charles Kolodgy

“Charles J. Kolodgy is a security strategist, visionary, forecaster, historian, educator, and advisor who has been involved in the cyber security field for over 25 years. He is an Analyst with Accelerated Strategies Group and Principal at Security Mindsets. His views and understanding of information and computer security were shaped during his years at the National Security Agency. During that time he held a variety of analyst and managerial positions within both the information assurance and operations directorates. Following NSA is was a a Research Vice President covering security markets for IDC and then a Senior Security Strategist for IBM Security. Over the years he has identified market trends and authored numerous documents to explain market realities and has been a speaker at many security conferences and events, including the RSA Conference, CIO Conference, CEIG, and IANS. He has been widely quoted in the media. He is best known for naming and defining the Unified Threat Management (UTM) market which continues to be one of the strongest cyber security markets with vendor revenue of $3 billion per year. He has been a leading analyst on software security, encryption, and the human element. Charles holds a B.A. in Political Science from the University of Massachusetts at Lowell and an M.A. in National Security Studies from Georgetown University.”

charles-kolodgy has 15 posts and counting.See all posts by charles-kolodgy