Language Selection

English French German Italian Portuguese Spanish

New Security Patches and New UEFI 'Secure' Boot Catastrophe

Filed under
Server
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).

  • Grub2 updates for Red Hat systems are making some unbootable

    As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out.

  • Servers at risk from “BootHole” bug – what you need to know

    That’s our tongue-in-cheek name for a cybersecurity vulnerability that not only gets assigned an identifier like CVE-2020-10713, but also acquires an impressive name plus a jaunty logo (and even, in one intriguing case, a theme tune).

    This month’s bug with an impressive name (see what we did there?) is called BootHole, and its logo rather cheekily shows a boot with a worm sticking out of a hole in the toecap.

    The bad news is that this bug affects the integrity of bootup process itself, meaning that it provides a way for attackers to insert code that will run next time you restart your device, but during the insecure period after you turn on the power but before the operating system starts up.

    The good news for most of us is that it relies on a bug in a bootloader program known as GRUB, short for Grand Unified Boot Loader, which is rarely found on Windows or Mac computers.

  • Why the GRUB2 Secure Boot Flaw Doesn’t Affect Purism Computers

    To understand why this flaw does not affect Purism computers, it helps to understand why UEFI Secure Boot exists to begin with, and how it and the security exploit works. Attacks on the boot process are particularly nasty as they occur before the system’s kernel gets loaded. Attackers who have this ability can then compromise the kernel before it runs, allowing their attack to persist through reboots while also hiding from detection. UEFI Secure Boot is a technology that aims to protect against these kinds of attacks by signing boot loaders like GRUB2 with private keys controlled ultimately by Microsoft. UEFI Firmware on the computer contains the public certificate counterparts for those private keys. At boot time UEFI Secure Boot checks the signatures of the current GRUB2 executable and if they don’t match, it won’t allow the executable to run.

    If you’d like to understand the GRUB2 vulnerability in more detail, security journalist Dan Goodin has a great write-up at Ars Technica. In summary, an attacker can trigger a buffer overflow in GRUB2 as it parses the grub.cfg configuration file (this file contains settings for the GRUB2 menu including which kernels to load and what kernel options to use). This buffer overflow allows the attacker to modify GRUB2 code in memory and execute malicious code of their choice, bypassing the protection UEFI Secure Boot normally would have to prevent such an attack.

    Unfortunately, UEFI Secure Boot doesn’t extend its signature checks into configuration files like grub.cfg. This means you can change grub.cfg without triggering Secure Boot and the attack exploited that limitation to modify grub.cfg in a way that would then exploit the running GRUB2 binary after it had passed the signature check.

    Further complicating the response to this vulnerability is the fact that it’s not enough to patch GRUB2. Because the vulnerable GRUB2 binaries have already been signed by Microsoft’s certificate, an attacker could simply replace a patched GRUB2 with the previous, vulnerable version. Patching against this vulnerability means updating your UEFI firmware (typically using reflashing tools and firmware provided by your vendor) so that it can add the vulnerable GRUB2 binary signatures to its overall list of revoked signatures.

Red Hat Enterprise Linux runs into Boothole patch trouble

  • Red Hat Enterprise Linux runs into Boothole patch trouble

    Sometimes the cure really is worse than the disease. The recently revealed Boothole security problem with GRUB2 and Secure Boot can, theoretically, be used to attack Linux systems. In practice, the only vulnerable Linux systems are ones that have already been successfully breached by an attacker. Still, the potential for damage was there, so almost all enterprise Linux distributors have released patches. Unfortunately, for at least one -- Red Hat -- the fix has gone wrong.

    Many users are reporting that, after patching Red Hat Enterprise Linux (RHEL) 8.2, it has rendered their systems unbootable. The problem also appears to affect RHEL 7.x and 8.x computers as well. It seems, however, to be limited only to servers running on bare iron. RHEL virtual machines (VM)s, which don't deal with Secure Boot firmware, are working fine.

Debian explains

  • GRUB2 UEFI SecureBoot vulnerability - 'BootHole'

    UEFI Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process, before the operating system has been loaded.

    SB works using cryptographic checksums and signatures. Each program that is loaded by the firmware includes a signature and a checksum, and before allowing execution the firmware will verify that the program is trusted by validating the checksum and the signature. When SB is enabled on a system, any attempt to execute an untrusted program will not be allowed. This stops unexpected / unauthorised code from running in the UEFI environment.

    Most x86 hardware comes from the factory pre-loaded with Microsoft keys. This means the firmware on these systems will trust binaries that are signed by Microsoft. Most modern systems will ship with SB enabled - they will not run any unsigned code by default, but it is possible to change the firmware configuration to either disable SB or to enrol extra signing keys.

    Debian, like many other Linux-based operating systems, uses a program called shim to extend that trust from the firmware to the other programs that we need to be secured during early boot: the GRUB2 bootloader, the Linux kernel and firmware update tools (fwupd and fwupdate).

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Trisquel 10.0.1 LTS "Nabia" incremental update

Here's a quick tutorial on how to setup Nginx with PHP support. The key? The installation of fastCGI, aka PHP-FPM, so Nginx can serve PHP files to clients. Read more

8 of the Best Linux Distros for Windows Users

If you’re new to Linux or are switching to Linux from Windows, you’ll want an operating system that is GUI-focused like Windows. There are many different distributions of Linux, and some aim to replicate the look and feel of Windows. This helps during the transition from Windows, since you don’t have to fight with an unfamiliar interface. With Linux boasting improved hardware support, long term stability, and a more comprehensive range of software applications, there is no better time to try it! In this roundup, we introduce you to the best Linux distributions for Windows users looking to switch to Linux. Read more

today's leftovers

  • Looking into the future of collaborative commons | Opensource.com

    I read Jeremy Rifkin's book The Zero Marginal Cost Society: The Internet of Things, the Collaborative Commons, and the Eclipse of Capitalism, which has a strong connection to open organization principles, particularly community building. Rifkin also writes about the future of green energy generation and energy use in logistics. In the previous articles in this series, I wrote about the communication internet being joined by the advancement of the energy (producing, sharing, consuming) internet. In this final part of the series, I look at Rifkin's thoughts regarding logistics (moving, storing, sharing) internet, and other economic sectors. There are public transportation systems like roads, commuter trains, light rail, and buses that are supported by taxes. There are also private transportation options such as private ocean shipping companies, private cars, bicycles, and walking. All these modes of transportation will go through changes with an IoT standardized system that communicates with many moving vehicles. This will make movement of both people and goods more efficient (less waste and more full utilization of capacity). Established protocols will allow firms to collaborate with each other to a more detailed degree. Furthermore, inventory storage will become more efficient. Redundancies and inefficiencies will be identified and reduced. This can be achieved by a distributed, collaborative, laterally scaled internet communication system, with its open system configuration and commons-style management, as a model for radically transforming global logistics.

  • 17 open-source, free Habit tracker apps for Windows, Android, Linux, macOS and the web

    The habit is something you usually do on a regular basis. It can be a part of a regular routine for work, lifestyle or both. Let us say, like morning work, exercise, reading newspaper, and brushing your teeth. There are good habits and bad habits, and as an example: smocking is a bad habit, drug addiction starts as a bad habit.

  • Canonical attends World Data Summit 2022

    Canonical, the publisher of Ubuntu, joined the World Data Summit held in Amsterdam, Netherlands, last May 18-20, 2022. Michelle Anne Tabirao, Data Solutions Product Manager, participated as a speaker in a technical workshop and a panel discussion.

  • Vanilla Dpup and Upup progress

    They have also been developing a more traditional next-generation Puppy, pre-fixed "Vanilla-"; currently there is Vanilla-Upup and Vanilla-Dpup, based on Ubuntu and Debian packages respectively. These have an initrd.

  • New Steam Games with Native Linux Clients - 2022-05-24 Edition - Boiling Steam

    We are publishing this update a little late this time, but there’s quite a lot of new titles! Between 2022-05-17 and 2022-05-24 there were 44 New Steam games released with Native Linux clients. For reference, during the same time, there were 448 games released for Windows on Steam, so the Linux versions represent about 9.8 % of total released titles.

  • Stupid RCU Tricks: Is RCU Watching? - Paul E. McKenney's Journal — LiveJournal

    It is just as easy to ask why RCU wouldn't be watching all the time. After all, you never know when you might need to synchronize! Unfortunately, an eternally watchful RCU is impractical in the Linux kernel due to energy-efficiency considerations. The problem is that if RCU watches an idle CPU, RCU needs that CPU to execute instructions. And making an idle CPU unnecessarily execute instructions (for a rather broad definition of the word “unnecessary”) will terminally annoy a great many people in the battery-powered embedded world. And for good reason: Making RCU avoid watching idle CPUs can provide 30-40% increases in battery lifetime. In this, CPUs are not all that different from people. Interrupting someone who is deep in thought can cause them to lose 20 minutes of work. Similarly, when a CPU is deeply idle, asking it to execute instructions will consume not only the energy required for those instructions, but also much more energy to work its way out of that deep idle state, and then to return back to that deep idle state. And this is why CPUs must tell RCU to stop watching them when they go idle. This allows RCU to ignore them completely, in particular, to refrain from asking them to execute instructions.

  • AmigaOne X1000/X5000 Remains Well Supported With PowerPC Linux

    Despite being expensive and having been sold out for quite some time at the main Amiga Dealers, two days after Linus Torvalds' release of Linux 5.18, Christian "xeno74" Zigotzky made the latest PPC kernel available for the AmigaOne X1000/X5000. Here and here are some screenshots. Linux PPC performs well on AmigaOne computers. For example, here is a 5-year-old YouTube AmigaOne X5000 demonstration video.

  • How to select your embedded systems operating system: OS characteristics - Embedded.com

    Embedded system developers have a wide range of operating systems available to them today. Of course, the most straightforward operating system is to have no operating system! However, many systems today are complex, connected systems where an operating system might be required. When required, developers will often look to use a real-time operating system (RTOS) or Linux to help them manage the complexity. Unfortunately, it’s not always clear-cut how to choose between bare metal, RTOS, or Linux. Each option has its advantages and disadvantages.

Videos: Ubuntu, Red Hat, and Lutris/WINE