Saturday, December 2, 2023

BootHole Vulnerability Affects Millions of Windows and Linux Systems – Allows Attackers to Install Stealthy Malware

Security researchers uncovered a new vulnerability dubbed “BootHole” present in the GRUB2 bootloader utilized by Windows and Linux systems.

Attackers can exploit this vulnerability to install a stealthy malware that gives total control of the victim machine.

“The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” Eclypisum said.

GRUB2 is the replacement of GRUB(Grand Unified Bootloader) Legacy boot loader, it functions to take over from BIOS at boot time, load itself, load the Linux kernel into memory, and then turn over execution to the kernel.

According to the detailed report shared with GBHackers On Security, the flaw affects a majority of laptops, desktops, servers, and workstations that are affected, as well as network appliances and other special-purpose equipment used in industrial, healthcare, financial, and other industries.

BootHole – Buffer Overflow Vulnerability

Researchers identified a buffer overflow vulnerability in the way that GRUB2 parses content from the GRUB2 config file(grub.cfg).

The config file also not signed, the vulnerability allows attackers to enable arbitrary code execution within GRUB2 and to gain control over the operating system.

It also allows an attacker to escalate privileges and persistence on the device, even with Secure Boot enabled.

The vulnerability can be tracked as CVE-2020-10713 and received a CVSS rating of 8.2. By exploiting the Boot Hole vulnerability attackers can install persistent and stealthy boot kits or malicious bootloaders that operate even when Secure Boot is enabled and functioning correctly.

“In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue.”

Researchers believe that majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems are affected by the vulnerability.


Researchers said that full mitigation of this issue will require coordinated efforts of Microsoft, open-source projects, and owners of affected systems.

“However, the full deployment of this revocation process will likely be very slow. UEFI-related updates have had a history of making devices unusable, and vendors will need to be very cautious,” researchers said.

Following are the list of advisories released by the vendors;

Researchers recommended monitoring the contents of the bootloader partition (EFI system partition) and to continue installing OS updates as usual across desktops, laptops, servers, and appliances.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles