Language Selection

English French German Italian Portuguese Spanish

New Security Patches and New UEFI 'Secure' Boot Catastrophe

Filed under
Server
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).

  • Grub2 updates for Red Hat systems are making some unbootable

    As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out.

  • Servers at risk from “BootHole” bug – what you need to know

    That’s our tongue-in-cheek name for a cybersecurity vulnerability that not only gets assigned an identifier like CVE-2020-10713, but also acquires an impressive name plus a jaunty logo (and even, in one intriguing case, a theme tune).

    This month’s bug with an impressive name (see what we did there?) is called BootHole, and its logo rather cheekily shows a boot with a worm sticking out of a hole in the toecap.

    The bad news is that this bug affects the integrity of bootup process itself, meaning that it provides a way for attackers to insert code that will run next time you restart your device, but during the insecure period after you turn on the power but before the operating system starts up.

    The good news for most of us is that it relies on a bug in a bootloader program known as GRUB, short for Grand Unified Boot Loader, which is rarely found on Windows or Mac computers.

  • Why the GRUB2 Secure Boot Flaw Doesn’t Affect Purism Computers

    To understand why this flaw does not affect Purism computers, it helps to understand why UEFI Secure Boot exists to begin with, and how it and the security exploit works. Attacks on the boot process are particularly nasty as they occur before the system’s kernel gets loaded. Attackers who have this ability can then compromise the kernel before it runs, allowing their attack to persist through reboots while also hiding from detection. UEFI Secure Boot is a technology that aims to protect against these kinds of attacks by signing boot loaders like GRUB2 with private keys controlled ultimately by Microsoft. UEFI Firmware on the computer contains the public certificate counterparts for those private keys. At boot time UEFI Secure Boot checks the signatures of the current GRUB2 executable and if they don’t match, it won’t allow the executable to run.

    If you’d like to understand the GRUB2 vulnerability in more detail, security journalist Dan Goodin has a great write-up at Ars Technica. In summary, an attacker can trigger a buffer overflow in GRUB2 as it parses the grub.cfg configuration file (this file contains settings for the GRUB2 menu including which kernels to load and what kernel options to use). This buffer overflow allows the attacker to modify GRUB2 code in memory and execute malicious code of their choice, bypassing the protection UEFI Secure Boot normally would have to prevent such an attack.

    Unfortunately, UEFI Secure Boot doesn’t extend its signature checks into configuration files like grub.cfg. This means you can change grub.cfg without triggering Secure Boot and the attack exploited that limitation to modify grub.cfg in a way that would then exploit the running GRUB2 binary after it had passed the signature check.

    Further complicating the response to this vulnerability is the fact that it’s not enough to patch GRUB2. Because the vulnerable GRUB2 binaries have already been signed by Microsoft’s certificate, an attacker could simply replace a patched GRUB2 with the previous, vulnerable version. Patching against this vulnerability means updating your UEFI firmware (typically using reflashing tools and firmware provided by your vendor) so that it can add the vulnerable GRUB2 binary signatures to its overall list of revoked signatures.

Red Hat Enterprise Linux runs into Boothole patch trouble

  • Red Hat Enterprise Linux runs into Boothole patch trouble

    Sometimes the cure really is worse than the disease. The recently revealed Boothole security problem with GRUB2 and Secure Boot can, theoretically, be used to attack Linux systems. In practice, the only vulnerable Linux systems are ones that have already been successfully breached by an attacker. Still, the potential for damage was there, so almost all enterprise Linux distributors have released patches. Unfortunately, for at least one -- Red Hat -- the fix has gone wrong.

    Many users are reporting that, after patching Red Hat Enterprise Linux (RHEL) 8.2, it has rendered their systems unbootable. The problem also appears to affect RHEL 7.x and 8.x computers as well. It seems, however, to be limited only to servers running on bare iron. RHEL virtual machines (VM)s, which don't deal with Secure Boot firmware, are working fine.

Debian explains

  • GRUB2 UEFI SecureBoot vulnerability - 'BootHole'

    UEFI Secure Boot (SB) is a verification mechanism for ensuring that code launched by a computer's UEFI firmware is trusted. It is designed to protect a system against malicious code being loaded and executed early in the boot process, before the operating system has been loaded.

    SB works using cryptographic checksums and signatures. Each program that is loaded by the firmware includes a signature and a checksum, and before allowing execution the firmware will verify that the program is trusted by validating the checksum and the signature. When SB is enabled on a system, any attempt to execute an untrusted program will not be allowed. This stops unexpected / unauthorised code from running in the UEFI environment.

    Most x86 hardware comes from the factory pre-loaded with Microsoft keys. This means the firmware on these systems will trust binaries that are signed by Microsoft. Most modern systems will ship with SB enabled - they will not run any unsigned code by default, but it is possible to change the firmware configuration to either disable SB or to enrol extra signing keys.

    Debian, like many other Linux-based operating systems, uses a program called shim to extend that trust from the firmware to the other programs that we need to be secured during early boot: the GRUB2 bootloader, the Linux kernel and firmware update tools (fwupd and fwupdate).

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

20+ Distraction-free Text Editors for Linux, Windows, macOS and The Cloud

While writing, it's essential to have a distraction-free environment. That will help the writer formulate his ideas into words. Most of the text processor software and document editor programs are full of tools, customization options which make them distracting the writer, and they already take large portion of the screen. Distraction-free editors are required by writers, screenwriters, novelists, researchers and journalists. Distraction-free modes have several criteria that starts from minimal user-interface, full-screen mode, few tools in the user-interface and focus mode. Read more

Leftovers: Canonical on Banks, Raspberry Pi and Curl

  • A ‘Connected’ Bank – The power of data and analytics

    The next 10 years will redefine banking. What will differentiate top banks from their competitors? Data and derived insights. Banks across the globe have been immersed in their digital agenda and with customers adopting digital banking channels aggressively, banks are collecting massive volumes of data on how customers are interacting at various touch points. Apart from the health of balance sheets, what will differentiate top banks from the competition is how effectively these data assets will be used to make banking simpler and improve their products and services. The challenge for large global banks so far has been to capitalise on huge volumes of data that their siloed business units hold and are often constrained by manual processes, data duplication and legacy systems. The use cases for data and analytics in banking are endless. Massive data assets will mean that banks can more accurately gauge the risk of offering a loan to a customer. Banks are using data analytics to improve efficiency and increase productivity. Banks will be able to use their data to train machine learning (ML) algorithms that can automate many of their processes. Artificial Intelligence (AI) solutions have the potential to transform how banks deal with regulatory compliance issues, financial fraud and cybercrime. Banks will have to get better at using customer data for greater personalisation, enabling them to offer products and services tailored to individual consumers in real time. Today, banks have only just scratched the surface of data analytics. [...] For data analytics initiatives, banks now have the option of leveraging the best of open source technologies. Open source databases such as PostgreSQL, MongoDB and Apache Cassandra can deliver insights and handle any new source of data. With data models flexible enough for rich modern data, a distributed architecture built for cloud scale, and a robust ecosystem of tools, open source data platforms can help banks break free from data silos and enable them to scale their innovation.

  • Embedding computational thinking skills in our learning resources
  • Daniel Stenberg: Reducing mallocs for fun

    Everyone needs something fun to do in their spare time. And digging deep into curl internals is mighty fun! One of the things I do in curl every now and then is to run a few typical command lines and count how much memory is allocated and how many memory allocation calls that are made. This is good project hygiene and is a basic check that we didn’t accidentally slip in a malloc/free sequence in the transfer path or something. We have extensive memory checks for leaks etc in the test suite so I’m not worried about that. Those things we detect and fix immediately, even when the leaks occur in error paths – thanks to our fancy “torture tests” that do error injections. The amount of memory needed or number of mallocs used is more of a boiling frog problem. We add one now, then another months later and a third the following year. Each added malloc call is motivated within the scope of that particular change. But taken all together, does the pattern of memory use make sense? Can we make it better?

  • Daniel Stenberg: a Google grant for libcurl work

    Earlier this year I was the recipient of a monetary Google patch grant with the expressed purpose of improving security in libcurl. This was an upfront payout under this Google program describing itself as “an experimental program that rewards proactive security improvements to select open-source projects”. I accepted this grant for the curl project and I intend to keep working fiercely on securing curl. I recognize the importance of curl security as curl remains one of the most widely used software components in the world, and even one that is doing network data transfers which typically is a risky business. curl is responsible for a measurable share of all Internet transfers done over the Internet an average day. My job is to make sure those transfers are done as safe and secure as possible. It isn’t my only responsibility of course, as I have other tasks to attend to as well, but still.

Web Browsing: Mozilla Firefox, Project Maelstrom and FreeTube on PCLinuxOS

  • Firefox usage is down 85% despite Mozilla's top exec pay going up 400%

    One of the most popular and most intuitive ways to evaluate an NGO is to judge how much of their spending is on their programme of works (or "mission") and how much is on other things, like administration and fundraising. If you give money to a charity for feeding people in the third world you hope that most of the money you give them goes on food - and not, for example, on company cars for head office staff.

    Mozilla looks bad when considered in this light. Fully 30% of all expenditure goes on administration. Charity Navigator, an organisation that measures NGO effectiveness, would give them zero out of ten on the relevant metric. For context, to achieve 5/10 on that measure Mozilla admin would need to be under 25% of spending and, for 10/10, under 15%.

  • This is a pretty dire assessment of Mozilla

    Back to Mozilla -- in my humble but correct opinion, Mozilla should be doing two things and two things only:

    1. Building THE reference implementation web browser, and

    2. Being a jugular-snapping attack dog on standards committees.

    3. There is no 3.

  • The Talospace Project: Firefox 81 on POWER

    Firefox 81 is released. In addition to new themes of dubious colour coordination, media controls now move to keyboards and supported headsets, the built-in JavaScript PDF viewer now supports forms (if we ever get a JIT going this will work a lot better), and there are relatively few developer-relevant changes. This release heralds the first official change in our standard POWER9 .mozconfig since Fx67. Link-time optimization continues to work well (and in 81 the LTO-enhanced build I'm using now benches about 6% faster than standard -O3 -mcpu=power9), so I'm now making it a standard part of my regular builds with a minor tweak we have to make due to bug 1644409. Build time still about doubles on this dual-8 Talos II and it peaks out at almost 84% of its 64GB RAM during LTO, but the result is worth it.

  • What happened to BitTorrent’s Project Maelstrom web browser?

    In April 2015, BitTorrent Inc. announced the public beta of Project Maelstrom; its new experimental peer-to-peer web browser. The browser reimagined the web using the company’s name sake file-sharing protocol. Websites would be distributed equally by its visitors instead of being hosted by an expensive central webserver. The company published a beta and some blog posts, but then never mentioned Project Maelstrom again. What happened to it? Project Maelstrom was launched four years after Opera had launched Opera Unite (Project Alien). Unite gave everyone their own web server built right into its web browser. It enabled anyone to host a website, share photos, and do all sorts of web things like music streaming directly from their own computer. Unite failed to account for people wanting to shut their computers — now servers — off at the end of the day, however. BitTorrent’s Project Maelstrom sought to fix this limitation by making everyone who visited a website help contribute to its distribution! As long as someone else was hosting a copy of it, you could shut down your computer for the night without taking your website offline with it.

  • Freetube 0.7.3 added to repository

    FreeTube is a YouTube client built around using YouTube more privately. You can enjoy your favorite content and creators without your habits being tracked. All of your user data is stored locally and never sent or published to the internet. Being powered by the Invidious API, FreeTube has become one of the best methods to watch YouTube privately on the desktop.

Programming Leftovers

  • News from PHP: releases, features, and syntax

    The PHP project has recently released three new versions; two in the PHP 7 series (7.3.22 and 7.4.10) and PHP 8.0beta3. Both PHP 7 releases were for bug fixes, addressing approximately 20 issues which can be seen in the release notes for 7.4.10 and 7.3.22. The most notable of these fixes addressed a language-wide memory leak when using compound assignments, and crash fixes when xml_parser_free() and array_merge_recursive() are called. While the project continues to provide bug-fix releases for PHP 7, development on PHP 8.0 is steaming ahead. The community has succeeded thus far in keeping with its release schedule; it is still on-target for general availability of PHP 8.0 on November 26. One noteworthy recent decision by the project was to drop support for OpenSSL version 1.0.1. Originally, PHP 8.0beta3 was to be the last beta release before entering into the release-candidate (RC) phase, when implementation details regarding APIs and behavior should stop changing. That plan changed, however, at the request of Nikita Popov. In the request to release manager Sara Golemon, Popov said more time was needed, suggesting eliminating the final RC5 release in exchange for an extra beta release...

  • How to use C++ String Literal

    The computer keyboard has characters printed on them. When you press a key, you see the character on the screen. Note: space is also a character. A string literal is a sequence of characters. This article explains how to use C++ string literals. You should know about C++ arrays and pointers to understand this article.

  • Goneovim: Turning Vim Into Emacs One Step At A Time

    I've seen a few people recommending a GUI for vim and I had never really given one a shot so I decided to take up one of your suggestions and do so. Today we're looking at an application known as Goneovim which as the name implies is written in go, it has some neat features but is it worth running a GUI for, I'll let you see.

  • What if data was code?

    Code? Data? Data? Code?

  • I Write comment to Perl7 is a fork of values

    I think the current Perl 7 plan is very heavy for the resources available to the Perl community. Perl 7 will succeed if many people welcome it and everyone supports it. However, I think the remaining users of Perl will remain because of the stability of that Perl.

  • Perl Weekly Challenge 79: Count Set Bits and Trapped Rain Water

    These are some answers to the Week 79 of the Perl Weekly Challenge organized by Mohammad S. Anwar Spoiler Alert: This weekly challenge deadline is due in a couple of days (September 27, 2020). This blog post offers some solutions to this challenge, please don’t read on if you intend to complete the challenge on your own.

  • Sebastian Witowski: Sorting Lists

    There are at least two common ways to sort lists in Python: - With sorted function that returns a new list - With list.sort method that modifies list in place Which one is faster? Let’s find out!