Attacker Value
Moderate
6

CVE-2020-10713 – BootHole

Disclosure Date: July 30, 2020

Exploitability

(2 users assessed) High
Attack Vector
Local
Privileges Required
High
User Interaction
None

Description

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Add Assessment

4
Ratings
Technical Analysis

A buffer overflow exists within GRUB2 affecting how it handles it’s configuration file. An exception occurs when the contents of the configuration are too large for the buffer that is incorrectly handled causing the contents to be written anyways, thus over flowing the buffer.

In order to exploit this, an attacker would likely need either:

  • Physical access to an affected device and sufficient time to mount the disk and corrupt / infect the GRUB configuration file
  • Administrative access to running system to corrupt / infect the GRUB configuration file

Successful exploitation of this vulnerability could corrupt the secure boot process and compromise the integrity of the system over all. This would effectively allow the installation and utilization of a bootkit. Developing a weaponized exploit would be aided by the lack of modern memory protections such as address space layout randomization (ASLR).

Patching is a complicated process involving updating the firmware from the vendor and applying a denylist which must be done manually (for now at least).

For more information see the Grubbing Secure Boot the Wrong Way: CVE-2020-10173.

General Information

Products

  • Grub
Technical Analysis