Language Selection

English French German Italian Portuguese Spanish

Security: GRUB, Thycotic, and 'Spectre'

Filed under
  • Ubuntu Blog: GRUB2 Secure Boot Bypass 2021

    In August 2020, a set of security vulnerabilities in GRUB2 (the GRand Unified Bootloader version 2) collectively known as BootHole were disclosed. Today, another set of vulnerabilities in GRUB2 were disclosed, with similar implications. Because GRUB2 is a key component of the boot process, vulnerabilities in it can permit attackers to violate the integrity promises of UEFI Secure Boot. In this blog post we will discuss these vulnerabilities as well as the changes that have been made to Ubuntu to both mitigate them, and to make the update process easier for any future similar scenarios.

    As discussed back in August 2020, the UEFI Secure Boot process in Ubuntu is supported by a number of different components, all working together to ensure that only trusted bootloaders and operating systems are able to run. These consist of the UEFI platform firmware (aka UEFI BIOS), shim, the GRUB2 bootloader and the Linux kernel. The latter 3 of these are Ubuntu components, while the former is provided by the device OEM. In this case, both shim and GRUB2 have (or will soon receive updates) to mitigate these vulnerabilities and to help ensure older vulnerable versions of GRUB2 are not trusted by the secure boot process and cannot be used to load malicious code.


    To ensure a unified approach, the version of GRUB2 for UEFI systems used in older Ubuntu releases is updated so that a single GRUB2 version can be used for all – this ensures that both the latest security fixes and mitigation features can be more easily adopted in these older releases. As this has the potential to cause issues in what is a fundamental component of the boot process (due to the large number of changes in both GRUB2 itself as well as the way this is distributed in Ubuntu), this update will be carefully rolled out via the Updates pocket of the Ubuntu package archive.

    Because Secure Boot does not apply to BIOS based boot environments, we will not be publishing updates for GRUB2 on those systems.

  • Multiple New Security Issues Hit GRUB Bootloader Around Secure Boot

    A new set of GRUB2 security vulnerabilities were made public today affecting its UEFI Secure Boot support. A set of eight CVEs were issued in 2020 and this year for the new issues. The issues include the possibility of specially crafted ACPI tables being loaded even if Secure Boot is active, memory corruption in GRUB's menu rendering, use-after-free in rmmod functionality, the cutmem command allowing privileged users to disable certain memory regions and in turn Secure Boot protections, arbitrary code execution even if Secure Boot is enabled, GRUB 2.05 accidentally re-introducing one of last year's vulnerabilities, and memory corruption from crafted USB device descriptors that could lead to arbitrary code execution.

  • Thycotic Announces Endpoint Privilege Management Solution for Unix/Linux

    Thycotic, provider of privileged access management (PAM) solutions for more than 12,500 organizations worldwide, including 25 of the Fortune 100, announced new privilege management capabilities for workstations running Unix and Linux. The latest release of Thycotic’s Privilege Manager solution includes a Sudo plugin that saves Unix/Linux administrators time, while still providing granular control over privileged activities.

    According to the Verizon 2020 Data Breach Investigations Report, eighty percent of breaches involve compromised credentials, making them one of the most common entry points for threats. Unix and Linux endpoints are typically the most valuable targets because they rely on “root” accounts, which provide unrestricted access to all commands, files, directories, and resources.

  • Spectre returns as exploits for Windows and Linux devices found

    Remember Spectre, the infamous vulnerability that had all major chip manufacturers scrambling for a fix? Three years after its initial emergence, two new working exploits have been identified.

    According to a report from Bleeping Computer, security researcher Julien Voisin has discovered a pair of exploits targeting unpatched Linux and Windows systems, on the VirusTotal platform. VirusTotal gathers all antivirus scans in one place and checks for potential malware missed by different solutions, and these exploits were uploaded a month ago.

Microsoft is serving malware again

  • Malicious ‘Dependency Confusion’ packages are stealing password files [Ed: Microsoft is serving malware again but Microsoft partners don't name Microsoft]

    Hackers created packages using names similar to ones found in a legitimate organization’s internal repositories. In public repositories, such internal names can be found referenced in public code repositories, such as GitHub, in source code files.


  • SUSE addresses another grub2 UEFI secure boot security exposure

    Various security researchers and the grub2 team have published more security issues in grub2 today, which can be used to bypass the UEFI secure boot chain.

    These security issues have the same scope as the BootHole issues from 2020. This attack requires root access to the bootloader used in Linux operating systems, GRUB2. It bypasses normal Secure Boot protections to persistently install malicious code which cannot be detected by the operating system.

Microsoft boosters

  • GRUB2 boot loader reveals multiple high severity vulnerabilities [Ed: Microsoft interjected fake (non) security into Linux and is now boasting and celebrating the dire consequences in its loyal propaganda sites]

    GRUB, a popular boot loader used by Unix-based operating systems has fixed multiple high severity vulnerabilities.

    In 2020, BleepingComputer had reported on the BootHole vulnerability in GRUB2 that could have let attackers compromise an operating system's booting process even if the Secure Boot verification mechanism was active.

    Threat actors could further abuse the flaw to hide arbitrary code ("bootkit") within the OS that would run on every boot.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's leftovers

  • What is Raspberry Pi 4 “Model B”? [Ed: I'm still waiting for them to formally apologise for going behind customers' backs, making secret deals with Microsoft to put Microsoft malware on all those devices]

    Raspberry Pi has conquered the world of SoC (System on a Chip). It has already garnered millions of followers since its release in 2012. Not only is it inexpensive, but it’s also versatile, modular, and multi-purpose. It has become popular not only as a credit-sized computer board but also as a controller in electronic, robotics, and IoT projects. The size, features, and price drive the popularity of the Pi, especially in the DIY community. To keep up with the current technological trends, the tiny board has undergone plenty of upgrades over the years, and there have been many varieties so it can cater to the needs and demands of its users. In 2019, the Raspberry Pi Foundation released the fourth generation of the multi-purpose board, the Raspberry Pi 4 B. It is the most powerful Pi to date, sporting huge upgrades from its predecessors. The compact board is touted to deliver a PC-level performance, and it didn’t disappoint.

  • Kentaro Hayashi: Grow your ideas for Debian Project

    There may be some "If it could be ..." ideas for Debian Project. If idea is concreate and worth to make things forward, it should make a proposal for Project Funding. [...] I'm not confident whether mechanism works, but Debian needs change.

  • Sam Thursfield: Calliope, slowly building steam

    There are some interesting complexities to this, and in 12 hours of hacking I didn’t solve them all. Firstly, Bandcamp artist and album names are not normalized. Some artist names have spurious “The”, some album names have “(EP)” or “(single)” appended, so they don’t match your tags. These details are of interest only to librarians, but how can software tell the difference? The simplest approach is use Musicbrainz, specifically cpe musicbrainz resolve-ids. By comparing ids where possible we get mostly good results. There are many albums not on Musicbrainz, though, which for now turn up as false positives. Resolving Musicbrainz IDs is a tricky process, too — how do we distinguish Multi-Love (album) from Multi-Love (single) if we only have an album name? If you want to try it out, great! It’s still aimed at hackers — you’ll have to install from source with Meson and probably fix some bugs along the way. Please share the fixes!

  • Neovide Is A Graphical Neovim Client Written In Rust

    Neovide is a really cool GUI client for Neovim. Although it essentially functions like Neovim in the terminal, Neovide does add some nice graphical improvements such as cursor animations and smooth scrolling. It even has me thinking about making it my new "vim" alias.

Linux 5.11.13, 5.10.29, 5.4.111, 4.19.186, 4.14.230, 4.9.266, and 4.4.266

Get involved with Mageia, become a Packager

With Mageia 8 just released and development for Mageia 9 getting underway in Cauldron, the unstable branch of Mageia, now is a great time to get involved with packaging. We are starting to look at the features that we want to include for Mageia 9, and as it is so early in the development cycle, now is the time for major developments, or big updates to key pieces of software. This is a great time to join the project as you can propose features you would like to see, help to implement large changes or see how a distribution evolves through development, stabilisation and then is released. If there is an application that you are interested in, if you want to help maintain part of the distribution, or if you want to learn something new, there are many opportunities to do so with the packaging team. Read more

Google does not want you to tell your players about your donation page

I recently updated Pixel Wheels banner image on Google Play. That triggered a review of the game: shortly after the update I received a message telling me Pixel Wheels was "not compliant with Google Play Policies". What nefarious activity does the game engage in? Sneak on users? Mine bitcoins? [...] Meanwhile you can still get the game from F-Droid or, since they do not have a problem with a link to a donation page. Read more