0-Day GRUB2 Authentication Bypass Hits Linux

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

Slackware for the win

[Bob+the+Super+Hamste]

Well Slackware is immune.

Seriously how can a bug like this hang around as basic input validation is something that should be done.

Re:Slackware for the win

[Viol8]

Sadly slackware also appears to be slowly winding down. Sure its still being updated on an ad hoc package by package basis, by there hasn't been a full distro release for 2.5 years now. Thats not a good sign.

Re: Slackware for the win

[Bing+Tsher+E]

The natural migration from Slackware is to a BSD. I migrated from Slackware to NetBSD in 1999.

Re: Slackware for the win

[Viol8]

Only superficially. When you get into the guts of administering the OS's then slackware is a lot closer to other linuxes than it is *BSD. Also the BSDs suffer from a lack of support. You might find that a linux program compiles from source on *BSD but often you'll find it doesn't without hacking it around a bit. Also the linux emulation layer - whatever its called - on BSD I always found a bit flaky.

Re:Slackware for the win

[DarkOx]

Slackware is not winding down. There has not been a release because there has been little reason for one. With so much in flux Systemd, X/Wayland, GCC 5 stabilizing, and XFCE Slackware's 2nd of 2 DE's having only recently itself having a major release 14.1 has aged well. I think figuring out where udev/eudev were going also has held things up a bit.

The changelog has been very active the past couple months. Patrick is making noise about 'betas' etc and the other developers like Robby and Eric are also hinting. A new release is coming.

What you have to realize about Slackware is, releases are not done for their own sake. They done for the sake of major changes and improvements. Slackware only implements major changes / forklifts when its clear they won't be walking back those changes or replacing them again with something else in the near future. Slackware really takes stability and consistency very very seriously.

The 'faster' thing move in the Linux ecosystem the longer the Slackware team has to wait for the dust to settle.

Re:Slackware for the win

[Viol8]

"little reason for one"

Seriously? The rate hardware changes these days theres a good chance the base release from 2013 won't boot on an up to date PC and if it does it might not be able to run the network hardware. In which case how exactly you do you expect someone to update it to current?

Re:Slackware for the win

[Viol8]

C was designed in the 1970s specifically as a language to replace assembler for low level development and even today almost all OS kernels including linux, windows and OS/X are written in it. Buy a ticket on the clue train when you get a chance.

Re:Slackware for the win

[jones_supa]

Why would it not boot?

Re:Slackware for the win

[goarilla]

Slackware is close to a new release ftp://ftp.osuosl.org/pub/slack....
It just has taken longer than usual because upstream is in great turmoil and some hard decisions needed to be made regarding:
ConsoleKit/systemd (consolekit2), udev/systemd (eudev) and KDE (probably still KDE4).

Re:Slackware for the win

[wbo]

Why would it not boot?

Because many distributions have trouble booting via UEFI and more and more systems are shipping without legacy/MBR boot support and can only boot via UEFI.

UEFI brings some nice improvements but motherboard manufactures typically only test with Windows and good UEFI support hasn't been a high priority until very recently for many Linux distributions.

Re:Slackware for the win

From Slackware 14.1 release notes:

One of the big changes in Slackware 14.1 is support for systems
running UEFI firmware (x86_64 Slackware edition only). We've added
several new packages for UEFI, including elilo, GRUB 2, and efibootmgr,
and all of the installation media supports booting under UEFI, as do
the USB boot sticks generated during installation. At this point
there is no support for running the system under Secure Boot, but a
dedicated user could add their own Machine Owner Key, sign their
kernels, modules, and bootloader, and then use shim to start the
bootloader. We'll be looking into adding support for this in the
next development cycle. Documentation for installing on UEFI machines
is provided in a README_UEFI.TXT found in the top-level Slackware
directory.

Slackware ISO images (both the ones available online as well as
the discs sent out from the Slackware store) have been processed using
isohybrid. This allows them to be written to a USB stick, which can
then be booted and used as the install source. This works on machines
running both regular BIOS as well as UEFI.

Re:Slackware for the win

[DarkOx]

Its a good thing the current release 14.1 has UEFI support already.

Re: Slackware for the win

[alex67500]

Have you used a BSD since 1999? The ports system takes a bit of getting used to, but it works more than fine. But it's a server distro, I wouldn't dream of using any of them as a desktop OS though, but that's not what they're designed to do...

Re:Slackware for the win

[mishehu]

Obviously you don't follow slackware-current . I just installed that recently, as I'm an old timer, and -current doesn't skeer me. gcc 5.2.0 as of a couple weeks ago...

Re:Slackware for the win

[Rockoon]

C was designed in the 1970s...

Yes.

... specifically as a language to replace assembler for low level development

No.

The C crowd has been claiming this for awhile, but not since the 70's. It wasn't until the 90's that the C crowd started insisting that C was a low level language. I've been banging keys through all of this period. You are wrong.

and even today almost all OS kernels including linux, windows and OS/X are written in it.

Not entirely, but you pretend different.

The real problem here isnt your ignorance about C, its that you have no idea what "low level" means, just like that wave of 1990's C programmers.

Buy a ticket on the clue train when you get a chance.

I'm already on the clue train. Tickets cost knowledge. Hope that someday you can afford to ride. Make sure that you leave your standard library at the station, because its not allowed in low level clueville.

Re:Slackware for the win

[jaklode]

ELILO is dead and should not be used anymore. "This project is orphaned, Debian dropped it in 2014, and RH & SUSE stopped using this tree (and feeding back change) long before that so no longer interested in working on it. Feel free to start your own source tarball is available."

Re:Slackware for the win

[KingMotley]

The C crowd has been claiming this for awhile, but not since the 70's. It wasn't until the 90's that the C crowd started insisting that C was a low level language. I've been banging keys through all of this period. You are wrong.

Taken from K&R first edition calls C "not a very high level language", while second edition calls C "a relatively low level language" (page 1). I assume they know better than you.

The real problem here isnt(sic) your ignorance about C, its that you have no idea what "low level" means, just like that wave of 1990's C programmers.

I think we know what "low level" means, and it means something other than what you think it does.

Re:Slackware for the win

[KingMotley]

Sorry K&R first edition was published 1978 -- "70s". Considering most people considered K&R's book the authority on C at the time, and they played a big role in writing C as we know it, I think I'll take their word for it over yours.

Re:Slackware for the win

[HiThere]

OTOH, what do you mean "low level". Assembler code is generally executed via a lower level of microcode (though I think it's burned into ROM during the writing of the CPU chip. (Read ROM as descriptive, not as a separate chip.)

So I have no problem calling C low level. These days I normally program in Python or D. I gave up on assembler the sixth time I had to rewrite all my programs.

Re:Slackware for the win

[HiThere]

C++ may (or may not) fail to produce bloated executables, but it is a bloated language. It's full specification is now considerably larger than is that for Ada, which when it was launched was roundly denounced for having a bloated specification. (For that matter, except for string handling, Ada is a generally nicer language than C++. Unfortunately, I do a lot of string handling. Even more unfortunately, C++ handling of unicode strings is so poor that I generally choose some other language. Usually D or Python.)

Re: Slackware for the win

[Viol8]

It has been a while since I've used FreeBSD, I liked it, but as you say, its not a desktop OS so I stayed with linux.

Re:Slackware for the win

[Viol8]

" I've been banging keys through all of this period. You are wrong."

All that proves is that length of service doesn't always give rise to knowledge.

"Not entirely, but you pretend different."

Apart from a small amount of assembler - yes , entirely.

"I'm already on the clue train."

Apparently the one you're on has yet to leave the station.

Re:Slackware for the win

[morgauxo]

Real bootloaders are written using toggle switches and pushbuttons, not keyboards!

Re: Slackware for the win

[Bing+Tsher+E]

NetBSD isn't really a server distro. It's the most general-purpose of the three main BSD's. The point in NetBSD is portability. Portability squeezes warts and bugs out of software that is coded too close to a particular architecture. When you download the source code for NetBSD, you're downloading the source for every architecture it runs on. With Linux it's typical that every 'distribution' is more or less tweaked to a particular architecture.

And anyway, my comment about NetBSD being similar to Slackware more pertained to the Init system and configuration than to the desktop experience.

If you want a Windows-like system, you use Linux.

If you want a UNIX-like system, you use BSD.

Re:Slackware for the win

[nobodie]

Pure BS. I'm running fedora23 on a core 2 duo I built in 2007 with absolutely no problems. Even upgraded it with dnf system-upgrade without trouble.

News for nerds?

Is this even an issue?

It's a password on the boot loader. It's not encrypting anything. If anyone is in the position to interact with a machine before the OS has loaded, they've probably got enough access to it that they can do whatever the hell they want, including booting the system off alternative media and replacing or reconfiguring said boot loader.

Re:News for nerds?

[JackieBrown]

Then why offer a password on a bootloader?

Re:News for nerds?

[i.r.id10t]

I can see where a boot password would be handy for a kiosk or similar setup where the machine is out in public space, and I'd definitely want it locked down to some degree. BIOS boot options as well.

For a server room, this is no big deal.

Re:News for nerds?

[segedunum]

Its news, but it's not as big as many people think. When someone can physically get to your machine you're going to need an awful lot more than a bootloader password to secure things.

Re:News for nerds?

Then use Windows, after all it's totally safe from virus/malware/spyware.

Re:News for nerds?

[goarilla]

We keep seeing a repeat of old security mistakes because even in the opensource world we're also trying to push
more features for a smaller cost.

Re:News for nerds?

[fuzzyfuzzyfungus]

I can understand why people want the feature(it's a decent middle ground between "haha, no, you can't fix even the tiniest misconfiguration without booting from an entirely different medium!" and giving anyone who can reboot the machine the ability to use Grub to load a near-arbitrary payload(they need to know what they are doing; but if all boot devices except the one with grub on them are locked out in the device firmware, you can then use grub to boot a payload from any storage it knows how to interact with, or boot the contents of the disk with different parameters); but it is necessarily a bit of a hacky place for security.

Since the OS isn't available yet, because it's the bootloader, you don't get any handy integration with OS-level authentication(eg. being able to use LDAP/Kerberos to define access and restrictions to bootloader functions); but since it is designed to run on almost all hardware; including hardware that lacks hardware/firmware level security features or OSS support for them is unavailable, it can't fully replicate what full-disk encryption can do(you can use software encryption and get most of the benefit; but an unencrypted initrd is obviously needed to decrypt and mount the encrypted partitions.

For situations where you might need to monkey with grub parameters from time to time, it's a useful option; but if you are confident that they won't be changing(and/or are willing to boot an alternate medium if necessary); it would probably be better to have the option of a bootloader that simply lacks support for any input devices at all, keyboard, serial, network, whatever, and just goes from BIOS handoff to OS load as quickly as possible.

Re:News for nerds?

[arth1]

Its news, but it's not as big as many people think.

It's also not a zero-day. When a disclosure happens before the exploit, it's not zero-day. And when a patch is already out, like for Red Hat, it's definitely not zero-day.

Is it a bug that needs fixing? Absolutely. But this isn't anything to worry overly much about. There are a lot of other things to worry about with grub2, which isn't exactly the pinnacle of elegant design.

Re:News for nerds?

[Dutch+Gun]

Yep. The term "zero-day" indicates that the bug was discovered because it was being exploited in the wild. I saw no specific mention of this, so it looks like the article got it wrong, and the summary picked up on that incorrect usage.

Re:News for nerds?

[phorm]

Well, if you've got a fully encrypted drive and a passworded bootloader, it can actually make things pretty difficult to access even if you can boot alternative media.

Re:News for nerds?

[edtice1559]

The scenario I can think of for this is something like the checkin kiosks at airports where people insert their credit card as a form of identification. Having the bios locked down and the cases sealed makes it much harder to install a rootkit for purposes of engaging in some sort of fraud. Of course it also means if there's a power failure some poor soul has to go around and type the passwords in everywhere.

Re:News for nerds?

[Bengie]

The boot information should be encrypted with the password. That way if the password is wrong and there's a bug in the validation, the attacker will won't be able to read the current information.

Re:News for nerds?

[phorm]

That makes sense to me.Another good reason to have a password, and it would also mean that this bug would be useless if encryption is used.

Re:News for nerds?

[barbariccow]

wowza. Redmond run out of coffee?

This is not security

[Froze]

In the majority of cases if you are interacting with the boot process then you have physical access to the machine. So unless GRUB is managing disk encryption you have access regardless of the password in GRUB. This is security theater, not real security and breaking it is not accomplishing anything significant.

Next Story.

Re:This is not security

[bill_mcgonigle]

Now with GRUB not really being password protected, an attacker can easily get to a privileged shell without a password

true, but your root partition is encrypted with a good LUKS passphrase so all they can do is see your disks, similar to a USB boot. If you already password-protected your BIOS, have a physical lock on the battery, and epoxied all your ports shut, then, yes, this is a higher level of concern. Probably most people don't fall into that scenario, though (and if they do, trusted boot is a better solution).

Clearly the bug is a problem, but the impact will be minimal.

Re:This is not security

[Blaskowicz]

Sometimes, physical access to the machine is the whole point of having that machine around. You provide local keyboard, mouse, monitor or even worse things to annoying and/or weird walking meatsacks called "users".

Re:This is not security

[barbariccow]

Not even. The password on boot is usually used to prevent editing or commandline.

It CAN be used to password-protect a specific device, but that's hardly a secure approach. The device is still there.

Any device that has strict security requirements where they restrict usage would have it on the OS level, where you can have tons of security libraries and best-practices at play.

.

There are some scenarios where restricting boot can make sense outside of "steal your data." Think about a computer at an office that's shared between a day-person and a night-person. You could potentially have two hard drives, and you turn on computer, pick your name out of grub, and boot into your system. Sure, there's long-term physical access and if someone wanted to get by it they could, but they would be stopped again at the OS level hopefully. What it does change though, is accountability. Boot into a system you're not supposed to access with no password? Could have been an accident. Boot into a system you're not supposed to access that had a password you weren't supposed to know? Your motives are clear and your termination/charges will be swift.

it does (but is hardly secure) allow you to restrict booting into a specific device but if someone really wants to get in, it's not that hard. If you're actually required to be secure, WHAT IT BOOTS will not be usable without the right passwords (unless it should be, depends on the system may be open access) and it will have the libraries and whatnot to be able to secure it well.

.04 versions?

[Ancil]

Versions from 1.98 (December, 2009) to 2.02 (December, 2015)

They certainly set a blistering development pace.

Re:.04 versions?

[spirtbrat]

It's a boot loader. And as boot loaders go, GRUB2 is already packed with features. What more do you expect it to be developed?

Re:.04 versions?

[tburkhol]

Versions from 1.98 (December, 2009) to 2.02 (December, 2015)

How, exactly, can you call this a "0-day" exploit if the hole has existed for six years?

Re:.04 versions?

[omnichad]

Because GRUB developers had 0 days to develop a patch because it was already known from the outside. They can exist far longer and still be zero-day.

Re:.04 versions?

[MightyYar]

Grub does, in fact, go 1.98, 1.99, 2.00, etc.

The troll awakens

This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

Re:The troll awakens

[Culture20]

This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

You joke, but RMS hates passwords on computers: http://www.oreilly.com/openboo... He might as well say "A train that is stuck to the tracks isn't really free to move. Remove the tracks!"

Re:The troll awakens

[Crowd+Computing]

This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

Title is obviously wrong. As you should well know, Grub is Not Linux!

Seriously, the title is wrong, since Grub is a pre-OS environment used to load the actual operating systems, including not just Linux, but Windows and the BSDs. Saying this is a Linux bug is like blaming Microsoft for a BIOS bug.

Re:The troll awakens

[Bengie]

A bootable OS is an entire package. Whomever made the OS inherently trusts and takes responsibility. If the Linux community at large uses GRUB2, then the Linux community is responsible. I hate the whole "shift the blame game". If my code uses a 3rd-party library, if my code breaks because of the 3rd-party lib, who is to blame? ME! I chose to use the lib, so I am responsible to make sure the lib works, because my code depends on it working.

What about systemd-grub?

The new systemd-grub leverages a pre-boot, machine-level dbus interface to policy-kit and systemd-logind, which will handle this for you. Why are people still in the dark ages with bootloader passwords?

Re:What about systemd-grub?

[armanox]

I'm sorry, but I think the module you wanted for systemd was bootloaderd.

Re:What about systemd-grub?

[segedunum]

Because complicating the shit out of a bootloader before an OS is even running seems like a great idea.

Re:What about systemd-grub?

[Crowd+Computing]

You're late to the party, bootloaderd was already integrated into biosd.

Re:What about systemd-grub?

GRUB already is the systemd of bootloaders.

They already did that; lilo was much easier, and simpler than grub; but they went with grub anyway.

I don't want a GRand Unified Bootloader for my Linux distro; I just want something where it's easy to tweak to boot parameters and doesn't involve the voodoo like parameters of GRUB, something like lilo.

Re:What about systemd-grub?

[Anrego]

Give extlinux a try. It's still around and is very lilo like, simple config file vice a huge maze of support scripts generating the actual complex configuration files that grub2 uses.

Re:What about systemd-grub?

LI

Re:What about systemd-grub?

[Culture20]

When lilo failed, you were stuck with a box you had to boot from CD. With grub, you can at least boot another disk or even the correct disk.

Yawn....

[Lumpy]

If someone has local access, they OWN the machine already. This is a minor inconvenience as zero security is given with a grub password anyways.

Re:Yawn....

[0ld_d0g]

If someone has local access, they OWN the machine already.

Using that logic, nobody should be required to enter a password at a local console.

This is a minor inconvenience as zero security is given with a grub password anyways.

"Hey guys we have this new password feature, but its completely useless so don't use it or ever rely on it."

Of course this is security

[paskie]

That's so silly - physical access to the machine doesn't mean anything per se!

What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

One can easily even use an AVR that'll replay the keypress sequence over USB (posing as a keyboard) on a button press. This is something completely different than taking the machine apart to clear CMOS or whatever.

BTW, can you have UEFI trusted boot with GRUB, or do you need coreboot? (Yes, there are people other than Microsoft using it, e.g. when selling appliances - think vote machines or gambling terminals.)

Re:Of course this is security

What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

That is like the most contrived example ever. Perhaps you shouldn't take use cases from Hollywood flicks?
We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.
More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.

Re:Of course this is security

[Culture20]

That is like the most contrived example ever.

It's a very common example for many locations, assuming "sealed" means a lock and cable on a public-use computer.

We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.

Physical access does include the power button. And it's not just "the user" you have to worry about, but *anyone* just passing by. Of course if the machine was screen-locked with a user logged in, it might arouse suspicion if it's later found turned off or at the login screen.

More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.

More common for home users perhaps, but this doesn't mean it's the only scenario that grub should be designed for.

Re:"Many eyes make all bugs shallow..."

[segedunum]

There's not exactly many eyes on this code.

Re:Backspace

[serviscope_minor]

Are you kidding me? Cue a queue of linux fanbois explaining how this isn't a big issue,

shrug. It's deeply wretched, but it's a non issue for a lot of people. If you have no machines with GRUB and password protection then it doesn't affect you. I don't know anyone it affects, personally.

Still, though how the fuck do you mess that up in 2015???

tl;dr

[SharpFang]

press backspace 28 times [enter]
write_word 0x7eb514e 0x90909090[enter]
normal[enter]
Enter 'edit mode'
append init=/bin/bash to the linux entry
F10

Re:tl;dr

[blazerw]

Or better yet:
1. Turn on computer.
2. Choose OS.
3. Boot.

Because NOBODY uses the grub password feature.

Re:tl;dr

[barbariccow]

You forgot "Get prompted for login credentials AGAIN when the OS boots."

Re:tl;dr

[SharpFang]

that's what init=/bin/bash is for. You boot directly to bash shell with root privileges bypassing all authentication. Then you can either create a passwordless alias for the root account, or install any rootkit you like.

Re:tl;dr

[SharpFang]

the kernel loads normally. It's the init system (which is already userspace) that gets hijacked. The whole authentication system runs on userspace side - and in this case isn't run, replaced by plain bash. You still need to issue 'mount -a' to mount all the filesystems but they work okay.

Geebus

[kjhambrick]

There are enough REAL security issues floating around without getting our panties all in a wad over an issue that requires PHYSICAL access to the Console and Keyboard on a machine that has already been rebooted ...

Along the same lines, even after this 'Zero-Day' is repaired, if I can access the Console and Keyboard, I can access the Boot Menu, and boot from a Thumb-Drive and then do everything I could do via the Grub2 Bug.

Sheesh !

-- kjh

Re:Geebus

[0ld_d0g]

Both?

Re:"Many eyes make all bugs shallow..."

[GameboyRMH]

Also it's a very obscure and generally unimportant feature. The only way a bootloader password could provide meaningful security is on a computer in a secure kiosk, where random users can get to the keyboard and but not the insides.

No surprise here

No surprise here. GRUB2 has always been a POS. I knew this would happen when all major Linux distros started forcing their users to use GRUB2 (not unlike the systemd fiasco). Yet, my Linux machines all use GRUB Legacy and are immune.

Re:No surprise here

[gweihir]

GRUB 2, same as systemd, suffers from gross KISS violation. GRUB 2 also suffers from the "Second System Effect", where they put in everything and the kitchen sink. Systemd has the same problem, but _they_ managed to make this basic mistake on the first try.

Good thing I use LILO!

[TeknoHog]

Seriously though, some of my old motherboards don't work with Grub, and I have no need for features beyond LILO.

Re:Think about ILOs

[guruevi]

But if you can get to interface with GRUB, that means it went through an interface (BIOS/EFI) which most likely you are likewise able to access. Any sort of pre-boot access gives you full control over the machine (make it netboot or mount a disk image to the virtual floppy).

Not so critical

[gweihir]

An attacker with physical access and some minimal skill has won anyways.

Re:Not so critical

[gweihir]

Forget it. Lockpicking is not hard.

Slackware

[angel'o'sphere]

Seems slackware.org is /.......

Re:Next story

GRUB has 4 characters. So does dick. GRUB2 has 5 characters. So does penis. Men have penises, and all men oppress all women 24/7 $100% of the time. Because men have a dick/penis and GRUB/GRUB2 have the sane number of characters, GRUB/GRUB2 is actively oppressing women. It doesn't even need a 0-day to do it.

Re:Think about ILOs

[gweihir]

ILOs must be secure by themselves, or an attacker can use them to reboot your system with a CD image or the like.

Re:Backspace

[BronsCon]

bear metal

That's some grizzly steel right there.

Re:I'm stunned

[Cramer]

Because it's not a "heavily used" part of the system, and it's code no one wants to have to look at. (boot loaders are very ugly shit.)

Ubuntu Fixed it!

[DadLeopard]

The fix for Ubuntu was out earlier today, I already applied the latest patch to Grub to fix that bug! Kinda weird having grub patches two days in a row