Slashdot Mirror

← Back to Stories (view on slashdot.org)

0-Day GRUB2 Authentication Bypass Hits Linux (hmarco.org)

Posted by Soulskill on from the caught-and-fixed dept.

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

144 comments

  1. Slackware for the win by Bob+the+Super+Hamste · · Score: 1, Interesting

    Well Slackware is immune.

    Seriously how can a bug like this hang around as basic input validation is something that should be done.

    --
    Time to offend someone
    1. Re:Slackware for the win by Viol8 · · Score: 3, Informative

      Sadly slackware also appears to be slowly winding down. Sure its still being updated on an ad hoc package by package basis, by there hasn't been a full distro release for 2.5 years now. Thats not a good sign.

    2. Re: Slackware for the win by Bing+Tsher+E · · Score: 1

      The natural migration from Slackware is to a BSD. I migrated from Slackware to NetBSD in 1999.

    3. Re: Slackware for the win by Viol8 · · Score: 1

      Only superficially. When you get into the guts of administering the OS's then slackware is a lot closer to other linuxes than it is *BSD. Also the BSDs suffer from a lack of support. You might find that a linux program compiles from source on *BSD but often you'll find it doesn't without hacking it around a bit. Also the linux emulation layer - whatever its called - on BSD I always found a bit flaky.

    4. Re:Slackware for the win by DarkOx · · Score: 3, Informative

      Slackware is not winding down. There has not been a release because there has been little reason for one. With so much in flux Systemd, X/Wayland, GCC 5 stabilizing, and XFCE Slackware's 2nd of 2 DE's having only recently itself having a major release 14.1 has aged well. I think figuring out where udev/eudev were going also has held things up a bit.

      The changelog has been very active the past couple months. Patrick is making noise about 'betas' etc and the other developers like Robby and Eric are also hinting. A new release is coming.

      What you have to realize about Slackware is, releases are not done for their own sake. They done for the sake of major changes and improvements. Slackware only implements major changes / forklifts when its clear they won't be walking back those changes or replacing them again with something else in the near future. Slackware really takes stability and consistency very very seriously.

      The 'faster' thing move in the Linux ecosystem the longer the Slackware team has to wait for the dust to settle.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    5. Re:Slackware for the win by Rockoon · · Score: 0

      Seriously how can a bug like this hang around as basic input validation is something that should be done.

      For some strange reason folks these days insist that bloated high level languages like C/C++ are a good choice of language for real low level problems, leading to bootloader designs the defy explanation, because the developers suited to making a high level language work in this instance are not the typical developers that have to deal with unconstrained input.

      In car analogy terms, its what you get when you hire a car mechanic to design an oil tanker.

      --
      "His name was James Damore."
    6. Re:Slackware for the win by Viol8 · · Score: 1

      "little reason for one"

      Seriously? The rate hardware changes these days theres a good chance the base release from 2013 won't boot on an up to date PC and if it does it might not be able to run the network hardware. In which case how exactly you do you expect someone to update it to current?

    7. Re:Slackware for the win by Viol8 · · Score: 1

      C was designed in the 1970s specifically as a language to replace assembler for low level development and even today almost all OS kernels including linux, windows and OS/X are written in it. Buy a ticket on the clue train when you get a chance.

    8. Re:Slackware for the win by jones_supa · · Score: 1

      Why would it not boot?

    9. Re:Slackware for the win by goarilla · · Score: 2

      Slackware is close to a new release ftp://ftp.osuosl.org/pub/slack....
      It just has taken longer than usual because upstream is in great turmoil and some hard decisions needed to be made regarding:
      ConsoleKit/systemd (consolekit2), udev/systemd (eudev) and KDE (probably still KDE4).

    10. Re:Slackware for the win by wbo · · Score: 1

      Why would it not boot?

      Because many distributions have trouble booting via UEFI and more and more systems are shipping without legacy/MBR boot support and can only boot via UEFI.

      UEFI brings some nice improvements but motherboard manufactures typically only test with Windows and good UEFI support hasn't been a high priority until very recently for many Linux distributions.

    11. Re:Slackware for the win by Anonymous Coward · · Score: 1

      From Slackware 14.1 release notes:

      One of the big changes in Slackware 14.1 is support for systems
      running UEFI firmware (x86_64 Slackware edition only). We've added
      several new packages for UEFI, including elilo, GRUB 2, and efibootmgr,
      and all of the installation media supports booting under UEFI, as do
      the USB boot sticks generated during installation. At this point
      there is no support for running the system under Secure Boot, but a
      dedicated user could add their own Machine Owner Key, sign their
      kernels, modules, and bootloader, and then use shim to start the
      bootloader. We'll be looking into adding support for this in the
      next development cycle. Documentation for installing on UEFI machines
      is provided in a README_UEFI.TXT found in the top-level Slackware
      directory.

      Slackware ISO images (both the ones available online as well as
      the discs sent out from the Slackware store) have been processed using
      isohybrid. This allows them to be written to a USB stick, which can
      then be booted and used as the install source. This works on machines
      running both regular BIOS as well as UEFI.

    12. Re:Slackware for the win by Anonymous Coward · · Score: 0

      Bloated High level C++? I am sorry sir, you have no clue what you are talking about. C++ philosophy is zero-overhead and to ONLY include absolutely only what is necessary.

      You are gravely misinformed as to what C/C++ is.

    13. Re:Slackware for the win by Anonymous Coward · · Score: 0

      Please please do tell us you are going systemd too, so I can justify at work the transaction from *BSD in pre-production to our production farm.

    14. Re:Slackware for the win by Anonymous Coward · · Score: 0

      C as a bloated language? C++ is a trainwreck but it's not bloated either.

      Also, I think your mechanic/oil tanker metaphor is backwards from what you mean.

    15. Re:Slackware for the win by Anonymous Coward · · Score: 0

      Because people dont have time to download and inspect all the source code they execute

    16. Re:Slackware for the win by Anonymous Coward · · Score: 0

      I sure hope not. I've recently discovered Salix (which is basically Slackware plus a little bit of automation) and I've fallen in love with Linux all over again.

    17. Re:Slackware for the win by DarkOx · · Score: 1

      Its a good thing the current release 14.1 has UEFI support already.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    18. Re:Slackware for the win by Anonymous Coward · · Score: 0

      "We've added
      several new packages for UEFI, including elilo, GRUB 2,"

      So it appears Slackware is in fact vulnerable if GRUB2 is in use.

    19. Re:Slackware for the win by Viol8 · · Score: 0

      2.5 year old beta software support. Good luck.

    20. Re:Slackware for the win by Anonymous Coward · · Score: 0

      Why use grub2 when you can have ELILO.

    21. Re:Slackware for the win by Anonymous Coward · · Score: 0

      Wat

    22. Re: Slackware for the win by alex67500 · · Score: 1

      Have you used a BSD since 1999? The ports system takes a bit of getting used to, but it works more than fine. But it's a server distro, I wouldn't dream of using any of them as a desktop OS though, but that's not what they're designed to do...

    23. Re:Slackware for the win by mishehu · · Score: 1

      Obviously you don't follow slackware-current . I just installed that recently, as I'm an old timer, and -current doesn't skeer me. gcc 5.2.0 as of a couple weeks ago...

    24. Re:Slackware for the win by Rockoon · · Score: 1

      C was designed in the 1970s...

      Yes.

      ... specifically as a language to replace assembler for low level development

      No.

      The C crowd has been claiming this for awhile, but not since the 70's. It wasn't until the 90's that the C crowd started insisting that C was a low level language. I've been banging keys through all of this period. You are wrong.

      and even today almost all OS kernels including linux, windows and OS/X are written in it.

      Not entirely, but you pretend different.

      The real problem here isnt your ignorance about C, its that you have no idea what "low level" means, just like that wave of 1990's C programmers.

      Buy a ticket on the clue train when you get a chance.

      I'm already on the clue train. Tickets cost knowledge. Hope that someday you can afford to ride. Make sure that you leave your standard library at the station, because its not allowed in low level clueville.

      --
      "His name was James Damore."
    25. Re:Slackware for the win by jaklode · · Score: 1

      ELILO is dead and should not be used anymore. "This project is orphaned, Debian dropped it in 2014, and RH & SUSE stopped using this tree (and feeding back change) long before that so no longer interested in working on it. Feel free to start your own source tarball is available."

    26. Re:Slackware for the win by KingMotley · · Score: 1

      The C crowd has been claiming this for awhile, but not since the 70's. It wasn't until the 90's that the C crowd started insisting that C was a low level language. I've been banging keys through all of this period. You are wrong.

      Taken from K&R first edition calls C "not a very high level language", while second edition calls C "a relatively low level language" (page 1). I assume they know better than you.

      The real problem here isnt(sic) your ignorance about C, its that you have no idea what "low level" means, just like that wave of 1990's C programmers.

      I think we know what "low level" means, and it means something other than what you think it does.

    27. Re:Slackware for the win by KingMotley · · Score: 1

      Sorry K&R first edition was published 1978 -- "70s". Considering most people considered K&R's book the authority on C at the time, and they played a big role in writing C as we know it, I think I'll take their word for it over yours.

    28. Re:Slackware for the win by HiThere · · Score: 1

      OTOH, what do you mean "low level". Assembler code is generally executed via a lower level of microcode (though I think it's burned into ROM during the writing of the CPU chip. (Read ROM as descriptive, not as a separate chip.)

      So I have no problem calling C low level. These days I normally program in Python or D. I gave up on assembler the sixth time I had to rewrite all my programs.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    29. Re:Slackware for the win by HiThere · · Score: 1

      C++ may (or may not) fail to produce bloated executables, but it is a bloated language. It's full specification is now considerably larger than is that for Ada, which when it was launched was roundly denounced for having a bloated specification. (For that matter, except for string handling, Ada is a generally nicer language than C++. Unfortunately, I do a lot of string handling. Even more unfortunately, C++ handling of unicode strings is so poor that I generally choose some other language. Usually D or Python.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    30. Re: Slackware for the win by Viol8 · · Score: 1

      It has been a while since I've used FreeBSD, I liked it, but as you say, its not a desktop OS so I stayed with linux.

    31. Re:Slackware for the win by Viol8 · · Score: 1

      " I've been banging keys through all of this period. You are wrong."

      All that proves is that length of service doesn't always give rise to knowledge.

      "Not entirely, but you pretend different."

      Apart from a small amount of assembler - yes , entirely.

      "I'm already on the clue train."

      Apparently the one you're on has yet to leave the station.

    32. Re:Slackware for the win by morgauxo · · Score: 1

      Real bootloaders are written using toggle switches and pushbuttons, not keyboards!

    33. Re: Slackware for the win by Bing+Tsher+E · · Score: 1

      NetBSD isn't really a server distro. It's the most general-purpose of the three main BSD's. The point in NetBSD is portability. Portability squeezes warts and bugs out of software that is coded too close to a particular architecture. When you download the source code for NetBSD, you're downloading the source for every architecture it runs on. With Linux it's typical that every 'distribution' is more or less tweaked to a particular architecture.

      And anyway, my comment about NetBSD being similar to Slackware more pertained to the Init system and configuration than to the desktop experience.

      If you want a Windows-like system, you use Linux.

      If you want a UNIX-like system, you use BSD.

    34. Re:Slackware for the win by nobodie · · Score: 1

      Pure BS. I'm running fedora23 on a core 2 duo I built in 2007 with absolutely no problems. Even upgraded it with dnf system-upgrade without trouble.

      --
      Subversion of spatial scale luxury decoration ideas.
  2. News for nerds? by Anonymous Coward · · Score: 4, Insightful

    Is this even an issue?

    It's a password on the boot loader. It's not encrypting anything. If anyone is in the position to interact with a machine before the OS has loaded, they've probably got enough access to it that they can do whatever the hell they want, including booting the system off alternative media and replacing or reconfiguring said boot loader.

    1. Re:News for nerds? by JackieBrown · · Score: 3, Insightful

      Then why offer a password on a bootloader?

    2. Re:News for nerds? by Anonymous Coward · · Score: 0

      You'd be surprised how many people are thwarted by proper bios boot order and a case lock.

    3. Re:News for nerds? by i.r.id10t · · Score: 4, Insightful

      I can see where a boot password would be handy for a kiosk or similar setup where the machine is out in public space, and I'd definitely want it locked down to some degree. BIOS boot options as well.

      For a server room, this is no big deal.

      --
      Don't blame me, I voted for Kodos
    4. Re:News for nerds? by Anonymous Coward · · Score: 0

      It's a password on the boot loader. It's not encrypting anything. If anyone is in the position to interact with a machine before the OS has loaded, they've probably got enough access to it that they can do whatever the hell they want, including booting the system off alternative media and replacing or reconfiguring said boot loader.

      Security is not a zero-sum game. Even a boot loader password can be used to limit the damage that an attacker can do. Maybe the particular attacker does not even know how to boot alternative media.

    5. Re:News for nerds? by segedunum · · Score: 4, Insightful

      Its news, but it's not as big as many people think. When someone can physically get to your machine you're going to need an awful lot more than a bootloader password to secure things.

    6. Re:News for nerds? by Anonymous Coward · · Score: 0

      For me, it's regulatory compliance, but one might be able to make a weak argument for "Defense in Depth".

    7. Re:News for nerds? by Anonymous Coward · · Score: 0

      Of course it's a big deal. If they are inept enough to create a security fail on something as fundamental and simple as a password authentication, I shudder to think how many other vulnerabilities are lurking in the code in other places, just waiting to expose the soft underbelly of the system.

    8. Re: News for nerds? by Anonymous Coward · · Score: 0

      Is this an issue? Yes. Linux is used for more than servers and single-user workstations; not all users should have full access. Example: BIOS password to prevent changing the boot device, plus a GRUB password to prevent booting on-disk administrative images, plus a case lock to prevent unobtrusive tampering with the system internals.

    9. Re:News for nerds? by Anonymous Coward · · Score: 1

      Then use Windows, after all it's totally safe from virus/malware/spyware.

    10. Re:News for nerds? by Anonymous Coward · · Score: 0

      Boot order configuration + BIOS password + security screws (or a secure BIOS that stores the BIOS password in NVRAM so that it survives the CMOS battery tampering or clear CMOS jumper).

      I remember some 10+ years ago there was a flowchart showing how to secure a computer from unauthorized access (or how to break into one, depending on how you look at it). Wish I could find that again...

    11. Re:News for nerds? by goarilla · · Score: 1

      We keep seeing a repeat of old security mistakes because even in the opensource world we're also trying to push
      more features for a smaller cost.

    12. Re:News for nerds? by fuzzyfuzzyfungus · · Score: 1

      I can understand why people want the feature(it's a decent middle ground between "haha, no, you can't fix even the tiniest misconfiguration without booting from an entirely different medium!" and giving anyone who can reboot the machine the ability to use Grub to load a near-arbitrary payload(they need to know what they are doing; but if all boot devices except the one with grub on them are locked out in the device firmware, you can then use grub to boot a payload from any storage it knows how to interact with, or boot the contents of the disk with different parameters); but it is necessarily a bit of a hacky place for security.

      Since the OS isn't available yet, because it's the bootloader, you don't get any handy integration with OS-level authentication(eg. being able to use LDAP/Kerberos to define access and restrictions to bootloader functions); but since it is designed to run on almost all hardware; including hardware that lacks hardware/firmware level security features or OSS support for them is unavailable, it can't fully replicate what full-disk encryption can do(you can use software encryption and get most of the benefit; but an unencrypted initrd is obviously needed to decrypt and mount the encrypted partitions.

      For situations where you might need to monkey with grub parameters from time to time, it's a useful option; but if you are confident that they won't be changing(and/or are willing to boot an alternate medium if necessary); it would probably be better to have the option of a bootloader that simply lacks support for any input devices at all, keyboard, serial, network, whatever, and just goes from BIOS handoff to OS load as quickly as possible.

    13. Re:News for nerds? by arth1 · · Score: 2

      Its news, but it's not as big as many people think.

      It's also not a zero-day. When a disclosure happens before the exploit, it's not zero-day. And when a patch is already out, like for Red Hat, it's definitely not zero-day.

      Is it a bug that needs fixing? Absolutely. But this isn't anything to worry overly much about. There are a lot of other things to worry about with grub2, which isn't exactly the pinnacle of elegant design.

    14. Re:News for nerds? by Dutch+Gun · · Score: 1

      Yep. The term "zero-day" indicates that the bug was discovered because it was being exploited in the wild. I saw no specific mention of this, so it looks like the article got it wrong, and the summary picked up on that incorrect usage.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    15. Re:News for nerds? by phorm · · Score: 1

      Well, if you've got a fully encrypted drive and a passworded bootloader, it can actually make things pretty difficult to access even if you can boot alternative media.

    16. Re:News for nerds? by edtice1559 · · Score: 1

      The scenario I can think of for this is something like the checkin kiosks at airports where people insert their credit card as a form of identification. Having the bios locked down and the cases sealed makes it much harder to install a rootkit for purposes of engaging in some sort of fraud. Of course it also means if there's a power failure some poor soul has to go around and type the passwords in everywhere.

    17. Re:News for nerds? by Bengie · · Score: 2

      The boot information should be encrypted with the password. That way if the password is wrong and there's a bug in the validation, the attacker will won't be able to read the current information.

    18. Re:News for nerds? by Anonymous Coward · · Score: 0

      Thank you. Other comments, such as "no one uses this feature" or "if you have physical access to the machine, you already own it!" have been unhelpful. Your comment is the one-and-only insightful thing I've seen here.

    19. Re:News for nerds? by phorm · · Score: 1

      That makes sense to me.Another good reason to have a password, and it would also mean that this bug would be useless if encryption is used.

    20. Re:News for nerds? by Anonymous Coward · · Score: 0

      Then why not set the bios to ask for a boot password. Most of them do. That way you also don't have to worry about someone sticking in a boot CD or USB drive if you forgot to change the settings. Also, now that I think of it, if you are changing the BIOS boot order anyway, why not just set the password there?

    21. Re:News for nerds? by Anonymous Coward · · Score: 0

      It's an issue because it highlights the atrocious code quality of the affected part of the software and how long it took for the flaw to come to light. There is this trend nowadays of programmers styling themselves ‘software engineers’ but everything that makes engineering... well, engineering, is missing from software development. The whole mentality is wrong. Sometimes I get the feeling there is nobody working in the field with a mental age above fifteen or something.

    22. Re:News for nerds? by barbariccow · · Score: 1

      wowza. Redmond run out of coffee?

  3. This is not security by Froze · · Score: 4, Insightful

    In the majority of cases if you are interacting with the boot process then you have physical access to the machine. So unless GRUB is managing disk encryption you have access regardless of the password in GRUB. This is security theater, not real security and breaking it is not accomplishing anything significant.

    Next Story.

    --
    -- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
    1. Re:This is not security by Anonymous Coward · · Score: 0

      Physical access to the machine does not guarantee the ability to boot any media you wish. The machine can be locked with a case lock and have its bios set to boot only the first HDD. Grub needs a password because it can be used to load an OS from another disk. "But a set of picks gets you past the lock!" Yeah, and a set of picks gets you in my house to grant you physical access to my unlocked, CD-booting-first computer(s). Security is done in steps. Nothing is absolute.

    2. Re:This is not security by Anonymous Coward · · Score: 0

      You are wrong.
      If you have a password protected BIOS + password protected GRUB + KVM extend from a secure server room to a workstation you have protected most of your attacks.

      Now with GRUB not really being password protected, an attacker can easily get to a privileged shell without a password. If the KVM included a USB port for some reason, then you may even be able to use GRUB to boot from USB media instead of your hardened OS. Again, providing a privileged shell without a password.

      There are various scenarios (Kiosk, secure server access, security monitored areas, etc.) where you provide console keyboard and mouse access without enough access to compromise the computer/network.

    3. Re:This is not security by bill_mcgonigle · · Score: 2

      Now with GRUB not really being password protected, an attacker can easily get to a privileged shell without a password

      true, but your root partition is encrypted with a good LUKS passphrase so all they can do is see your disks, similar to a USB boot. If you already password-protected your BIOS, have a physical lock on the battery, and epoxied all your ports shut, then, yes, this is a higher level of concern. Probably most people don't fall into that scenario, though (and if they do, trusted boot is a better solution).

      Clearly the bug is a problem, but the impact will be minimal.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:This is not security by Anonymous Coward · · Score: 0

      I'm pretty sure bypassing the bootloader is much faster than disassembling my ultrabook. (and no, you can't boot anything else unless you have my UEFI password)...

    5. Re:This is not security by Blaskowicz · · Score: 1

      Sometimes, physical access to the machine is the whole point of having that machine around. You provide local keyboard, mouse, monitor or even worse things to annoying and/or weird walking meatsacks called "users".

    6. Re:This is not security by Anonymous Coward · · Score: 0

      At that point it's just easier to waterboard you for the password. I know a squealer when I see one.

    7. Re:This is not security by barbariccow · · Score: 1

      Not even. The password on boot is usually used to prevent editing or commandline.

      It CAN be used to password-protect a specific device, but that's hardly a secure approach. The device is still there.

      Any device that has strict security requirements where they restrict usage would have it on the OS level, where you can have tons of security libraries and best-practices at play.

      .

      There are some scenarios where restricting boot can make sense outside of "steal your data." Think about a computer at an office that's shared between a day-person and a night-person. You could potentially have two hard drives, and you turn on computer, pick your name out of grub, and boot into your system. Sure, there's long-term physical access and if someone wanted to get by it they could, but they would be stopped again at the OS level hopefully. What it does change though, is accountability. Boot into a system you're not supposed to access with no password? Could have been an accident. Boot into a system you're not supposed to access that had a password you weren't supposed to know? Your motives are clear and your termination/charges will be swift.

      it does (but is hardly secure) allow you to restrict booting into a specific device but if someone really wants to get in, it's not that hard. If you're actually required to be secure, WHAT IT BOOTS will not be usable without the right passwords (unless it should be, depends on the system may be open access) and it will have the libraries and whatnot to be able to secure it well.

  4. .04 versions? by Ancil · · Score: 1, Funny

    Versions from 1.98 (December, 2009) to 2.02 (December, 2015)

    They certainly set a blistering development pace.

    1. Re:.04 versions? by spirtbrat · · Score: 3, Informative

      It's a boot loader. And as boot loaders go, GRUB2 is already packed with features. What more do you expect it to be developed?

    2. Re:.04 versions? by Anonymous Coward · · Score: 0

      Version numbers are not decimal numbers. After 1.99 can come either 1.100 or 2.0. So you cannot unambiguously say that between 1.98 and 2.02 there has been .04 versions.

    3. Re:.04 versions? by tburkhol · · Score: 1

      Versions from 1.98 (December, 2009) to 2.02 (December, 2015)

      How, exactly, can you call this a "0-day" exploit if the hole has existed for six years?

    4. Re:.04 versions? by Anonymous Coward · · Score: 0

      Yes, 1.98 in 2009-12... and 1.99 in 2011-05... and 2.00 in 2012-06. Are you aware that GRUB2 was written from scratch as a complete overhaul that was intended to run on far more architectures than the original GRUB and include more than just a textual mode...? GRUB is depended on by far more than just the open source community, so keep that in mind when you poke fun at their slow release cycle...

    5. Re:.04 versions? by omnichad · · Score: 2

      Because GRUB developers had 0 days to develop a patch because it was already known from the outside. They can exist far longer and still be zero-day.

    6. Re:.04 versions? by MightyYar · · Score: 1

      Grub does, in fact, go 1.98, 1.99, 2.00, etc.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  5. Backspace by Anonymous Coward · · Score: 0, Insightful

    Are you kidding me? Cue a queue of linux fanbois explaining how this isn't a big issue, is understandable, isn't as bad as some Windows bug etc.
    Cannot handle backspace key. In 2015. Much wow.

    1. Re:Backspace by serviscope_minor · · Score: 1

      Are you kidding me? Cue a queue of linux fanbois explaining how this isn't a big issue,

      shrug. It's deeply wretched, but it's a non issue for a lot of people. If you have no machines with GRUB and password protection then it doesn't affect you. I don't know anyone it affects, personally.

      Still, though how the fuck do you mess that up in 2015???

      --
      SJW n. One who posts facts.
    2. Re:Backspace by Anonymous Coward · · Score: 0

      You can fuck this up because grub is its own OS, it needs to handle all the IO including keyboard input from scratch. There are where no long lived libraries for it that can be used. Secondly it is difficult to test, since it runs on bear metal. Third not many people try and break a bootloader.

    3. Re:Backspace by BronsCon · · Score: 1

      bear metal

      That's some grizzly steel right there.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  6. I'm stunned by Anonymous Coward · · Score: 0

    B-b-but this is open source! How can such an obvious function (grub_username_get()) in a heavily used boot loader (GRUB) have this kind of vulnerability? This vulnerability existed for 6 years. Just imagine how easily NSA could plant something like this and use it to bypass passwords.

    1. Re:I'm stunned by Cramer · · Score: 1

      Because it's not a "heavily used" part of the system, and it's code no one wants to have to look at. (boot loaders are very ugly shit.)

  7. The troll awakens by Anonymous Coward · · Score: 2, Funny

    This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

    1. Re:The troll awakens by Culture20 · · Score: 1

      This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

      You joke, but RMS hates passwords on computers: http://www.oreilly.com/openboo... He might as well say "A train that is stuck to the tracks isn't really free to move. Remove the tracks!"

    2. Re:The troll awakens by Crowd+Computing · · Score: 2

      This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

      Title is obviously wrong. As you should well know, Grub is Not Linux!

      Seriously, the title is wrong, since Grub is a pre-OS environment used to load the actual operating systems, including not just Linux, but Windows and the BSDs. Saying this is a Linux bug is like blaming Microsoft for a BIOS bug.

    3. Re:The troll awakens by Anonymous Coward · · Score: 0

      Saying this is a Linux bug is like blaming Microsoft for a BIOS bug.

      Well, Slashdot did attack Microsoft for supporting UEFI instead of completely staying out of the debate on how to upgrade the very limited BIOS of prior years. Also, Windows installs its own bootloader, and GRUB is the (seemingly) universal Linux-bundled bootloader. So yes, while it isn't technically part of Linux, neither is KDE, Gnome, or your favorite package management system.
      I have not seen a distro that doesn't use GRUB, so it is reasonable (if not entirely accurate) to say that Linux is dependent on GRUB, and all the UI and other programs you run on your Linux box are dependent on Linux.

    4. Re:The troll awakens by Bengie · · Score: 1

      A bootable OS is an entire package. Whomever made the OS inherently trusts and takes responsibility. If the Linux community at large uses GRUB2, then the Linux community is responsible. I hate the whole "shift the blame game". If my code uses a 3rd-party library, if my code breaks because of the 3rd-party lib, who is to blame? ME! I chose to use the lib, so I am responsible to make sure the lib works, because my code depends on it working.

  8. "Many eyes make all bugs shallow..." by Anonymous Coward · · Score: 0

    2009 to 2015, was it? "Many eyes make all bugs shallow", ha, yeah, right. Anybody still repeating that hollow OSS canard in 2015 deserves to laughed at

    1. Re:"Many eyes make all bugs shallow..." by segedunum · · Score: 2

      There's not exactly many eyes on this code.

    2. Re:"Many eyes make all bugs shallow..." by GameboyRMH · · Score: 1

      Also it's a very obscure and generally unimportant feature. The only way a bootloader password could provide meaningful security is on a computer in a secure kiosk, where random users can get to the keyboard and but not the insides.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    3. Re:"Many eyes make all bugs shallow..." by Anonymous Coward · · Score: 0

      Keep your goalpost on a flat bed, eh?

  9. What about systemd-grub? by Anonymous Coward · · Score: 5, Funny

    The new systemd-grub leverages a pre-boot, machine-level dbus interface to policy-kit and systemd-logind, which will handle this for you. Why are people still in the dark ages with bootloader passwords?

    1. Re:What about systemd-grub? by armanox · · Score: 1

      I'm sorry, but I think the module you wanted for systemd was bootloaderd.

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
    2. Re:What about systemd-grub? by segedunum · · Score: 1

      Because complicating the shit out of a bootloader before an OS is even running seems like a great idea.

    3. Re:What about systemd-grub? by Crowd+Computing · · Score: 1

      You're late to the party, bootloaderd was already integrated into biosd.

    4. Re:What about systemd-grub? by Anonymous Coward · · Score: 1

      GRUB already is the systemd of bootloaders.

      They already did that; lilo was much easier, and simpler than grub; but they went with grub anyway.

      I don't want a GRand Unified Bootloader for my Linux distro; I just want something where it's easy to tweak to boot parameters and doesn't involve the voodoo like parameters of GRUB, something like lilo.

    5. Re:What about systemd-grub? by Anonymous Coward · · Score: 0

      I'm sorry, but I think the module you wanted for systemd was bloatloaderd.

      There, fixed it for you. ;-)

    6. Re:What about systemd-grub? by Anrego · · Score: 1

      Give extlinux a try. It's still around and is very lilo like, simple config file vice a huge maze of support scripts generating the actual complex configuration files that grub2 uses.

    7. Re:What about systemd-grub? by Anonymous Coward · · Score: 1

      LI

    8. Re:What about systemd-grub? by Culture20 · · Score: 1

      When lilo failed, you were stuck with a box you had to boot from CD. With grub, you can at least boot another disk or even the correct disk.

    9. Re:What about systemd-grub? by Anonymous Coward · · Score: 0

      I think it is rather unfair to compare GRUB to systemd, GRUB isn't trying to take over the OS. It is perhaps more comparable to Emacs.

  10. Yawn.... by Lumpy · · Score: 3, Insightful

    If someone has local access, they OWN the machine already. This is a minor inconvenience as zero security is given with a grub password anyways.

    --
    Do not look at laser with remaining good eye.
    1. Re:Yawn.... by Anonymous Coward · · Score: 0

      What if you have access to they keyboard and display but not the disks?

    2. Re:Yawn.... by Anonymous Coward · · Score: 0

      This is a problem for VMs. ESX for example allows console access in Virtual Center. Many of the others are through VNC.

      This idea that VMs are a magical security utopia is disturbing.

    3. Re:Yawn.... by Anonymous Coward · · Score: 0

      vCenter has some pretty fine-grained access control. You can restrict users to specific virtual machines.

    4. Re:Yawn.... by 0ld_d0g · · Score: 2

      If someone has local access, they OWN the machine already.

      Using that logic, nobody should be required to enter a password at a local console.

      This is a minor inconvenience as zero security is given with a grub password anyways.

      "Hey guys we have this new password feature, but its completely useless so don't use it or ever rely on it."

    5. Re:Yawn.... by Anonymous Coward · · Score: 0

      using your logic encourages very low IQ managers to use it instead of real disk encryption.

      "hey guys we can password the bootloader instead of using real security."

    6. Re:Yawn.... by Anonymous Coward · · Score: 0

      Right, because no "high IQ" person is ever going to think that a password is a useful form of access control. Its only the dummies that think passwords are for security. Or maybe you want the users of the software to spend years getting a CS education and then audit the code to determine its usefulness. After all, the doctors, accountants, scientists, lawyers have "low IQ" because they used a password to protect their sensitive data.

      So, here's an idea - If you think a feature is useless and/or counterproductive because it will be misinterpreted as useful, don't implement it.

  11. Of course this is security by paskie · · Score: 2

    That's so silly - physical access to the machine doesn't mean anything per se!

    What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

    One can easily even use an AVR that'll replay the keypress sequence over USB (posing as a keyboard) on a button press. This is something completely different than taking the machine apart to clear CMOS or whatever.

    BTW, can you have UEFI trusted boot with GRUB, or do you need coreboot? (Yes, there are people other than Microsoft using it, e.g. when selling appliances - think vote machines or gambling terminals.)

    --
    It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
    1. Re:Of course this is security by Anonymous Coward · · Score: 3, Interesting

      What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

      That is like the most contrived example ever. Perhaps you shouldn't take use cases from Hollywood flicks?
      We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.
      More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.

    2. Re:Of course this is security by Culture20 · · Score: 1

      That is like the most contrived example ever.

      It's a very common example for many locations, assuming "sealed" means a lock and cable on a public-use computer.

      We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.

      Physical access does include the power button. And it's not just "the user" you have to worry about, but *anyone* just passing by. Of course if the machine was screen-locked with a user logged in, it might arouse suspicion if it's later found turned off or at the login screen.

      More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.

      More common for home users perhaps, but this doesn't mean it's the only scenario that grub should be designed for.

  12. Low Risk Non-Issue Is Funny by Anonymous Coward · · Score: 0

    This is a ridiculous fuck up that is quite laughable. Especially for such a widely used and presumed reviewed/audited package.

    On the other hand, a password protected boot loader is exactly as effective as a password protected boot loader that can be bypassed by pressing backspace. Both will keep completely clueless out and neither will prevent anyone with the vaguest clue of how to boot a computer from booting/accessing the system.

    For those that don't understand, Google boot disk or startup disk.

  13. Grubs Are Delicious by Anonymous Coward · · Score: 0

    I'm glad my Windows environments aren't dependent on these buggy open source projects with their ludicrous names.

    1. Re:Grubs Are Delicious by Anonymous Coward · · Score: 0

      I would not be on it. There are several reasons they hide their code, and one of them is because they routinely drink from open source routines. And security by obscurity really works *well*.

  14. What is it with Backspace and All Thing Linux PW? by Anonymous Coward · · Score: 0

    Seems like Backspace is almost never handled well for password entry in Linux...

  15. Next story by Anonymous Coward · · Score: 0

    How does 0-Day GRUB2 Authentication Bypass affects Women?

    1. Re:Next story by Anonymous Coward · · Score: 1

      GRUB has 4 characters. So does dick. GRUB2 has 5 characters. So does penis. Men have penises, and all men oppress all women 24/7 $100% of the time. Because men have a dick/penis and GRUB/GRUB2 have the sane number of characters, GRUB/GRUB2 is actively oppressing women. It doesn't even need a 0-day to do it.

  16. tl;dr by SharpFang · · Score: 3, Informative

    press backspace 28 times [enter]
    write_word 0x7eb514e 0x90909090[enter]
    normal[enter]
    Enter 'edit mode'
    append init=/bin/bash to the linux entry
    F10

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:tl;dr by blazerw · · Score: 2
      Or better yet:
      1. Turn on computer.
      2. Choose OS.
      3. Boot.

      Because NOBODY uses the grub password feature.

    2. Re:tl;dr by barbariccow · · Score: 1

      You forgot "Get prompted for login credentials AGAIN when the OS boots."

    3. Re:tl;dr by Anonymous Coward · · Score: 0

      Shortcut the CMOS bettery jumper on motherboard and boot with a USB-stick, bypass any bootloader.

    4. Re:tl;dr by SharpFang · · Score: 1

      that's what init=/bin/bash is for. You boot directly to bash shell with root privileges bypassing all authentication. Then you can either create a passwordless alias for the root account, or install any rootkit you like.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    5. Re:tl;dr by Anonymous Coward · · Score: 0

      Does Bash even run without Linux? Does it manage to load or save things to the VFS without Linux to process file system calls?

    6. Re:tl;dr by SharpFang · · Score: 1

      the kernel loads normally. It's the init system (which is already userspace) that gets hijacked. The whole authentication system runs on userspace side - and in this case isn't run, replaced by plain bash. You still need to issue 'mount -a' to mount all the filesystems but they work okay.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  17. Geebus by kjhambrick · · Score: 1

    There are enough REAL security issues floating around without getting our panties all in a wad over an issue that requires PHYSICAL access to the Console and Keyboard on a machine that has already been rebooted ...

    Along the same lines, even after this 'Zero-Day' is repaired, if I can access the Console and Keyboard, I can access the Boot Menu, and boot from a Thumb-Drive and then do everything I could do via the Grub2 Bug.

    Sheesh !

    -- kjh

    1. Re:Geebus by Anonymous Coward · · Score: 0

      Best security for any Linux Laptop, sit next to an Apple user, guess which one they will steal? The Apple :)

    2. Re:Geebus by 0ld_d0g · · Score: 1

      Both?

    3. Re:Geebus by Anonymous Coward · · Score: 0

      Physical Access != Physical Access in virtualize environments. Every single instance of a linux VM running grub2 can be exploited at a distance via the hyper-visor or bmc.

  18. Think about ILOs by Anonymous Coward · · Score: 0

    Everyone is thinking "Boot loader, got to be at physical console." No.

    ILOs of all manner allow you to be any distance away.

    1. Re:Think about ILOs by guruevi · · Score: 1

      But if you can get to interface with GRUB, that means it went through an interface (BIOS/EFI) which most likely you are likewise able to access. Any sort of pre-boot access gives you full control over the machine (make it netboot or mount a disk image to the virtual floppy).

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Think about ILOs by gweihir · · Score: 1

      ILOs must be secure by themselves, or an attacker can use them to reboot your system with a CD image or the like.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Think about ILOs by Anonymous Coward · · Score: 0

      You can put a password on the BIOS/UEFI. Just because you can access the keyboard while booting does not mean you can open the case to wipe the BIOS/UEFI password.

  19. Not remotely exploitable by Anonymous Coward · · Score: 0

    Very cool, but that pesky physical access issue...

  20. No surprise here by Anonymous Coward · · Score: 1

    No surprise here. GRUB2 has always been a POS. I knew this would happen when all major Linux distros started forcing their users to use GRUB2 (not unlike the systemd fiasco). Yet, my Linux machines all use GRUB Legacy and are immune.

    1. Re:No surprise here by gweihir · · Score: 1

      GRUB 2, same as systemd, suffers from gross KISS violation. GRUB 2 also suffers from the "Second System Effect", where they put in everything and the kitchen sink. Systemd has the same problem, but _they_ managed to make this basic mistake on the first try.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  21. Good thing I use LILO! by TeknoHog · · Score: 1

    Seriously though, some of my old motherboards don't work with Grub, and I have no need for features beyond LILO.

    --
    Escher was the first MC and Giger invented the HR department.
  22. Locks are there to... by Anonymous Coward · · Score: 0

    keep honest people honest. A bootloader password is not without value. Not
    everyone is willing to take a screwdriver to the machine (especially a laptop)
    just to see what's on it.

  23. Great for university students by Anonymous Coward · · Score: 0

    Great for university students who want to install a modern distro on one of their ancient computer lab boxes that hasn't had any updates since the initial deployment.

  24. Move the boot to a USB stick by Anonymous Coward · · Score: 0

    Move the boot to a USB stick and encrypt all the rest on disk.

    Stops the Evil Maid attack

    But really, MANY EYES, OPEN SOURCE, and they did NOT SEE this GLARING HOLE?

    Open source is a bling bling sham with their rubbish "many eyes more secure" bs.

  25. Not so critical by gweihir · · Score: 1

    An attacker with physical access and some minimal skill has won anyways.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Not so critical by Anonymous Coward · · Score: 0

      What if the computer chassis is locked and you only have access to input devices and the display?

    2. Re:Not so critical by gweihir · · Score: 1

      Forget it. Lockpicking is not hard.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  26. Slackware by angel'o'sphere · · Score: 1

    Seems slackware.org is /.......

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  27. that's a -1 day bug by Anonymous Coward · · Score: 0

    If you hit backspace often enough fast enough you can travel back in time!

  28. OMG! by Anonymous Coward · · Score: 0

    News flash! If someone has access to your boot loader they can bone you.

  29. Ubuntu Fixed it! by DadLeopard · · Score: 1

    The fix for Ubuntu was out earlier today, I already applied the latest patch to Grub to fix that bug! Kinda weird having grub patches two days in a row