What is happening now with the Grub backspace key security vulnerability?

Question

I just read a few articles about a new Grub vulnerability. The article said that you can bypass the password protection by pressing backspace twenty eight times.

I am a security guy and I am concerned about the vulnerability, so I would like to know what measure is GNU and Linux taking? Is there a security update/fix/patch and can I do anything myself to keep my computer secure? I always keep my OS, web browser, and programs up to date, so will that help?

Here are the articles:

The link k from your comment says 'Ubuntu, Red Hat, Debian and probably other distributions too, have released fixes for this flaw.'. Doesn't that answer your question? — Neil Smithline, Dec 17 '15 at 20:08
Also asked earlier at http://unix.stackexchange.com/questions/250028/ . — JdeBP, Dec 17 '15 at 22:36
It's a integer underflow bug where GRUB doesn't correctly check how much characters are left when you press backspace, and as a result it's erasing characters even though there's nothing more to erase, and by some low level black magic it manages to damage enough of its own memory to trigger an exception and bring up the rescue console while still leaving enough memory intact so that it can still work. I'll leave it to an experienced C developer to provide a detailed answer but here's a link with lots of details : http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html — André Borie, Dec 18 '15 at 00:55

score 100 · Accepted Answer · edited Dec 18 '15 at 01:31

100

The main thing that is happening is that the bug is being seriously overhyped.

Exploiting this vulnerability requires physical access to the computer during startup, and if you've got physical access, there are about a zillion ways you can bypass security.
The bug is about bypassing Grub2's internal password protection. Most users don't password-protect Grub2.
The bug is in the Grub2 bootloader. If you're using direct boot from UEFI, LILO, classic Grub, or any of the non-x86 bootloaders, you're not vulnerable to it.

If you're worried about this bug, install your distro's patch for it, but keep in mind that, except in unusual circumstances, the vulnerability doesn't actually reduce security.

edited Dec 18 '15 at 01:31

Gilles 'SO- stop being evil'

50,912
13
120
179

answered Dec 17 '15 at 20:30

Mark

34,390
9
85
134

14

`Exploiting this vulnerability requires physical access to the computer during startup` - Not necessarily. For a while I had linux boxes attached to a serial console server, that was accessible via dialup modem for OOB. If an attacker was able to bypass the console server authentication, and then wait for a reboot, or force one, they could exploit things remotely. There are also KVM over IP setups that, if improperly configured might permit remote console access without any other physical access. Anyway, this type of setup, is very uncommon these days. – Zoredache Dec 18 '15 at 18:29

score 36 · Answer 2 · answered Dec 17 '15 at 20:36

36

Your question is the first I've heard of this. Based on the articles you presented though you're probably plenty safe for 2 reasons:

A) The first article you linked says that the major distros have already patched this. If you keep up to date like you said, it should be fine. If not, the same article says the researchers who found the bug have released a patch you can install yourself

B) The attack isn't against the Linux kernel, it's against the bootloader. That means an attacker needs to have access to your machine itself, not just network access to it. So unless you have friends or family who are inclined to hack your computer while you sleep you should be safe.

Bonus) Once you have the physical access to a computer which you'd need for a hack like this (barring weird setups like network KVM switches) there are easier ways to gain control of the machine

answered Dec 17 '15 at 20:36

tbernard

501
3
3

1

Many of your popular network KVMs are built into LOMs and can also do things like attach virtual USB or CD-ROM media or adjust boot order, so if someone's got admin access to one, it's pretty much game over regardless. – Charles Duffy Dec 18 '15 at 01:26
4

Easier than pressing backspace?!? – wizzwizz4 Dec 18 '15 at 15:10
3

@wizzwizz4, ...yes. If I'm given the choice between plugging in a piece of bootable media I prepared and has a known set of software vs depending on the target system to have a specific, vulnerable bootloader, I'm going to carry my own media in (or attach it over the LOM, or such). Just getting a bootloader may not buy you much -- in these modern times when you need an initramfs to load half your drivers, not every distro makes it as easy as `init=/bin/sh` or `single`. – Charles Duffy Dec 18 '15 at 16:25
@CharlesDuffy - i dont believe that is an accurate assessment of the issue. the problem - for an otherwise secure machine - wouldnt have anything to do with what happens *after* the EFI calls an executable, but rather with the EFI calling a trusted executable that afterward betrayed that trust. if a `grub` in a SecureBoot scenario will give away the keys to the city because you pressed backspace 28 times - its treason. – mikeserv Dec 18 '15 at 20:46
@wizzwizz4 Along the lines with Charles Duffy, pressing backspace 28 times just gets you into Grub, then you still need to do something with that access. If you have physical access to the machine then you can physically steal the drive to do with as you please later. Or you can preempt GRUB entirely and boot to your own drive. It all depends what you're trying to accomplish. Yes there are security measures against those attacks too, but it serves to prove a point – tbernard Dec 18 '15 at 22:18
@mikeserv, that's fair enough. For a scenario where an attacker can pop the case there's still little true security added by SecureBoot -- too easy to modify something on the filesystem (or, for a more serious attacker, pop in a PCI card that can directly read and write memory contents at will; not in everyone's budget, but not out of everyone's either) -- but for a KVM-but-no-screwdriver situation there might be value. – Charles Duffy Dec 18 '15 at 22:38
@CharlesDuffy - im talking about like... company laptops. you can pop the case, sure, but you cant access the disk after you do because itll get scrambled if you try to access it from a different machine. any kind of *worthwhile* protection of that kind starts with firmware these days. and chainloaders - like grub - only interfere. but you cant attach arbitrary hardware - try doing so and the firmware will require authentication because the system *changed*. it isnt that easy anymore. – mikeserv Dec 18 '15 at 22:40
@mikeserv, if you can attach arbitrary hardware, you can arrange to read arbitrary memory later -- including encryption keys at runtime. Think Evil Maid attacks. – Charles Duffy Dec 18 '15 at 22:41
1

...now, "easy" is admittedly a thing -- not all that hardware is cheap. (Then again, if it's good enough to get a record of keystrokes pressed, cheap will do fine). – Charles Duffy Dec 18 '15 at 22:44
@CharlesDuffy - thats true. but backspace is *way* cheaper in any case. and dont forget - grub has its own cli and can network. – mikeserv Dec 18 '15 at 22:45
Anyone using Secure Boot will have built a signed grub install that bundles in its config file and modules. "And modules" is critical here -- don't bundle in the network modules? It's not there. – Charles Duffy Dec 18 '15 at 22:49
...and frankly, unless the folks building the system went to some trouble to have UEFI's built-in networking stack actually functioning, it often won't (making grub's efinet module worthless). That thing's a bloody pain to get up. – Charles Duffy Dec 18 '15 at 22:50
@CharlesDuffy - it ***is a pain***. but its getting a *lot* better every day. the problem with it before was that there wasnt any real expectation for it to work so box shippers were just doing what they always did for firmware - almost nothing. the popularity of chromebooks has changed that - hp has been releasing new models that ensure the ip stack is up so that stolen machines can self-report location from *firmware* on *wifi*. – mikeserv Dec 18 '15 at 22:53
1

I'm actually about to be getting hardware with the latest major release of AMI's Aptio, and you just gave me some small glimmer of hope that maybe I can coax firmware-level networking into working this time. Thank you. :) – Charles Duffy Dec 18 '15 at 23:33
@CharlesDuffy - good luck. one thing that really helps is bitching. a few years ago i wanted to setup fastboot on my machine but my GPU didnt have a GOP firmware. i kept emailing the manufacturer until they patched some other graphic cards firmware and emailed it back to me. they made me promise not to post it online. all you really need for the efi ip stack is a manufacturer that cares enough to roll in the right drivers. – mikeserv Dec 18 '15 at 23:43
In this case, I *am* the manufacturer -- or rather, part of a startup they own. Alas, further discussion/ranting/etc would be prone to edging into NDA territory. Thanks again for the conversation! – Charles Duffy Dec 19 '15 at 01:04

What is happening now with the Grub backspace key security vulnerability?

2 Answers2