Billions of devices running modern operating systems like Linux and Windows could be at risk from a new, high-profile security vulnerability, according to new research. Security firm Eclypsium has discovered an EUFI Secure Boot vulnerability that allows unhindered access to affected systems. Virtually all modern servers, client PCs, and other PC-based equipment use UEFI, an interface between an operating system and platform firmware. All UEFI versions have a specially designed Secure Boot Infrastructure to protect unauthorized access to the machine during the boot process. The framework relies on cryptographic keys to authenticate code that can be executed at system startup. The key process that runs the specified operating system loader and transfers controls to the operating system is called GRUB2 (Grand Unified Bootloader). If this process is compromised, authors can control how the operating system loads and undermine higher-level security controls.
boothole
Eclypsium has discovered a weakness in the way GRUB2 parses its configuration file that allows attackers to execute arbitrary code that bypasses signature verification and install stealthy persistent bootkits or malicious boot loaders to gain control of a system. While attackers may succeed in gaining unrestricted control over a machine, as well as any secrets it may contain, the computer can function as usual and administrators may not know it is compromised until it is too late. Exploiting the GRUB2 vulnerability is not really easy as it requires high level privileges which can be obtained by an insider or insider using various means. Still, the potential benefits of near-total access can seem very encouraging. On paper, the solution seems simple enough: fix the GRUB2 vulnerability; update installers / bootloaders / shims of Linux distributions; Signs New Wedges From CA UEFI, A Microsoft Third Party; update operating systems In the meantime, given the difficulty of ecosystem-wide update/reversal, addressing the vulnerability of all systems and organizations on the planet will take some time, years to be exact. "Full mitigation of this issue will require coordinated efforts by a variety of entities: affected open source projects, Microsoft, and owners of affected systems, among others," an Eclypsium statement said. "However, the full implementation of this revocation process will likely be very slow." VSource: Eclypsium (via Tom's Hardware)