Site icon TheWindowsUpdate.com

Microsoft Guidance for Addressing Security Feature Bypass in GRUB

This post has been republished via RSS; it originally appeared at: MSRC Security Update Guide.

Executive Summary Microsoft is aware of a vulnerability in the GRand Unified Boot Loader (GRUB), commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot”, could allow for Secure Boot bypass. To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device. Microsoft is working to complete validation and compatibility testing of a required Windows Update that addresses this vulnerability. If you are an IT professional and would like to immediately address this vulnerability, please see the mitigation option on installing an un-tested update. When the Windows updates become available, customers will be notified via revision to this advisory. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications and Coming Soon: New Security Update Guide Notification System. This vulnerability is detectable via TPM attestation and Defender ATP. CVEs released for this issue: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707. Update: March 2, 2021 A new set of similar vulnerabilities has been discovered, documented under: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233. Update: August 9, 2022 Microsoft has released standalone security update 5012170 to provide protection against the vulnerabilities described in this advisory. See the FAQ section and KB5012170: Security update for Secure Boot DBX: August 9, 2022 for more information about this update. Background Information In 2012, Microsoft introduced the Secure Boot feature into the then-new, UEFI-based PC ecosystem.  UEFI Secure Boot is an anti-rootkit feature that defends the boot process from untrusted code execution.  As part of enabling this feature, Microsoft signs boot code both for Windows and 3rd-parties including Linux distributions. This boot code allows Linux systems to take advantage of Secure Boot. The GRUB vulnerability provides a way to bypass the UEFI Secure Boot security feature for any system that trusts the Microsoft 3rd-party UEFI signer, which includes many PCs. Mitigations See the Mitigations section following the Exploitability section. Recommended Actions Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. References Microsoft guidance for applying Secure Boot DBX update How insights from system attestation can improve enterprise security Blog: There's a Hole in the Boot UEFI Forum: https://uefi.org/revocationlistfile (Applies to CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707). Canonical: https://ubuntu.com/security/notices/USN-4432-1 Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot HPE: www.hpe.com/info/security-alerts Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ VMware: https://kb.vmware.com/s/article/80181 CVE-2020-10713 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707 CVEs published March 2, 2021: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-3418 CVE-2021-20225 CVE-2021-20233  
Exit mobile version