0-Day GRUB2 Authentication Bypass Hits Linux (hmarco.org)

← Back to Stories (view on slashdot.org)

0-Day GRUB2 Authentication Bypass Hits Linux (hmarco.org)

Posted by Soulskill on Wednesday December 16, 2015 @01:22AM from the caught-and-fixed dept.

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

7 of 144 comments (clear)

Min score:

Reason:

Sort:

News for nerds? by Anonymous Coward · 2015-12-16 01:33 · Score: 4, Insightful

Is this even an issue?
It's a password on the boot loader. It's not encrypting anything. If anyone is in the position to interact with a machine before the OS has loaded, they've probably got enough access to it that they can do whatever the hell they want, including booting the system off alternative media and replacing or reconfiguring said boot loader.
1. Re:News for nerds? by JackieBrown · 2015-12-16 01:36 · Score: 3, Insightful
  
  Then why offer a password on a bootloader?
2. Re:News for nerds? by i.r.id10t · 2015-12-16 01:55 · Score: 4, Insightful
  
  I can see where a boot password would be handy for a kiosk or similar setup where the machine is out in public space, and I'd definitely want it locked down to some degree. BIOS boot options as well.
  For a server room, this is no big deal.
  
  --
  Don't blame me, I voted for Kodos
3. Re:News for nerds? by segedunum · 2015-12-16 02:01 · Score: 4, Insightful
  
  Its news, but it's not as big as many people think. When someone can physically get to your machine you're going to need an awful lot more than a bootloader password to secure things.
This is not security by Froze · 2015-12-16 01:33 · Score: 4, Insightful

In the majority of cases if you are interacting with the boot process then you have physical access to the machine. So unless GRUB is managing disk encryption you have access regardless of the password in GRUB. This is security theater, not real security and breaking it is not accomplishing anything significant.
Next Story.

--
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
Backspace by Anonymous Coward · 2015-12-16 01:35 · Score: 0, Insightful

Are you kidding me? Cue a queue of linux fanbois explaining how this isn't a big issue, is understandable, isn't as bad as some Windows bug etc.
Cannot handle backspace key. In 2015. Much wow.
Yawn.... by Lumpy · 2015-12-16 01:45 · Score: 3, Insightful

If someone has local access, they OWN the machine already. This is a minor inconvenience as zero security is given with a grub password anyways.

--
Do not look at laser with remaining good eye.