Written by Sean Lyngaas
In June, the antivirus company ESET stumbled across an insidious strain of ransomware that prevents a computer from loading and locks its data.
A saving grace was that, in order for the attack to work, a ubiquitous feature known as UEFI Secure Boot, which protects computers from getting malicious code slipped on their systems, would have to be disabled.
Now, researchers at hardware security company Eclypsium say they’ve found a vulnerability that, if exploited, would even work on computers that have that Secure Boot feature enabled. Exploiting the flaw, which researchers say affects just about every Linux-based operating system in existence, would make successful attacks using the ransomware spotted by ESET more likely. It would also open the door to stealthy attacks that compromise a machine’s loading process, where control over the computer is at its highest.
“It’s this foundational part of the system, and everything you loaded up on top of that foundation could, potentially, have been compromised if those earlier stages are compromised,” said Jesse Michael, a researcher at Oregon-based Eclypsium.
The scope of the vulnerability, which is in a bundle of code known as a GRUB2 bootloader, is staggering. Michael’s team estimates that billions of devices are affected because the impact extends far beyond GRUB2. Any Windows device that uses a Microsoft certificate authority with Secure Boot is affected, as are various open-source software projects, according to Eclypsium.
There haven’t been any reports of the GRUB2 vulnerability being exploited in the wild, and the flaw comes with important caveats. An attacker would generally need to have already gained administrative or physical access to a machine to exploit the bug to delve deeper into the system. But accomplishing that would essentially give the hacker free rein over the computer, allowing them to plant code they could return to for persistent access. That would be a spy’s dream.
Patching at a snail’s pace
The research spotlights an aspect of network security that Michael said needs more attention. There have been many defensive measures put in place for applications and operating systems, he said, but “the boot system and UEFI firmware is lagging behind in some of those mitigations that are in place.”
To bring urgency to the issue, Michael and his colleague Mickey Shkatov provided a proof-of-concept exploit for the vulnerability to Microsoft and other affected vendors that they demonstrated in April. On Wednesday, those vendors will begin one of the most complex patching processes in recent memory that could take years to complete for some computers.
Businesses will have to manually test the patches to make sure they work in their unique computing environments and don’t derail operations. And just fixing the vulnerable version of GRUB2 isn’t enough to block attacks that exploit the vulnerability. Previous vulnerable versions of the code will have to be revoked — a laborious process.
It will also be an odyssey tracking down all of the vendors involved in the process; Eclypsium says there are undoubtedly more out there. “There are many OEMs [original equipment manufacturers] and so many vendors that might be using these in some of their product lines, but we just can’t tell,” Shkatov said.
A Microsoft spokesperson said the company is aware of the vulnerability and “working to complete validation and compatibility testing of a required Windows Update package.” Microsoft released an advisory with advice for mitigating the vulnerability on Wednesday.
It’s a reminder of, as with the infamous Spectre and Meltdown bugs affecting computing chips revealed in 2018, how painstaking it can be to fix code that is already pervasive in hardware environments.
As the group of vendors and Eclypsium researchers quietly worked to fix the GRUB2 flaw in recent months, they discovered other security issues that needed fixing. “It’s a hard problem; we don’t want to have to do this again in six months,” Michael recalled thinking. “So let’s try to find and fix what we can right now.”