Slashdot Mirror

← Back to Stories (view on slashdot.org)

0-Day GRUB2 Authentication Bypass Hits Linux (hmarco.org)

Posted by Soulskill on from the caught-and-fixed dept.

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

4 of 144 comments (clear)

  1. Re:.04 versions? by spirtbrat · · Score: 3, Informative

    It's a boot loader. And as boot loaders go, GRUB2 is already packed with features. What more do you expect it to be developed?

  2. Re:Slackware for the win by Viol8 · · Score: 3, Informative

    Sadly slackware also appears to be slowly winding down. Sure its still being updated on an ad hoc package by package basis, by there hasn't been a full distro release for 2.5 years now. Thats not a good sign.

  3. tl;dr by SharpFang · · Score: 3, Informative

    press backspace 28 times [enter]
    write_word 0x7eb514e 0x90909090[enter]
    normal[enter]
    Enter 'edit mode'
    append init=/bin/bash to the linux entry
    F10

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  4. Re:Slackware for the win by DarkOx · · Score: 3, Informative

    Slackware is not winding down. There has not been a release because there has been little reason for one. With so much in flux Systemd, X/Wayland, GCC 5 stabilizing, and XFCE Slackware's 2nd of 2 DE's having only recently itself having a major release 14.1 has aged well. I think figuring out where udev/eudev were going also has held things up a bit.

    The changelog has been very active the past couple months. Patrick is making noise about 'betas' etc and the other developers like Robby and Eric are also hinting. A new release is coming.

    What you have to realize about Slackware is, releases are not done for their own sake. They done for the sake of major changes and improvements. Slackware only implements major changes / forklifts when its clear they won't be walking back those changes or replacing them again with something else in the near future. Slackware really takes stability and consistency very very seriously.

    The 'faster' thing move in the Linux ecosystem the longer the Slackware team has to wait for the dust to settle.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html