Slashdot Mirror

← Back to Stories (view on slashdot.org)

0-Day GRUB2 Authentication Bypass Hits Linux (hmarco.org)

Posted by Soulskill on from the caught-and-fixed dept.

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

23 of 144 comments (clear)

  1. News for nerds? by Anonymous Coward · · Score: 4, Insightful

    Is this even an issue?

    It's a password on the boot loader. It's not encrypting anything. If anyone is in the position to interact with a machine before the OS has loaded, they've probably got enough access to it that they can do whatever the hell they want, including booting the system off alternative media and replacing or reconfiguring said boot loader.

    1. Re:News for nerds? by JackieBrown · · Score: 3, Insightful

      Then why offer a password on a bootloader?

    2. Re:News for nerds? by i.r.id10t · · Score: 4, Insightful

      I can see where a boot password would be handy for a kiosk or similar setup where the machine is out in public space, and I'd definitely want it locked down to some degree. BIOS boot options as well.

      For a server room, this is no big deal.

      --
      Don't blame me, I voted for Kodos
    3. Re:News for nerds? by segedunum · · Score: 4, Insightful

      Its news, but it's not as big as many people think. When someone can physically get to your machine you're going to need an awful lot more than a bootloader password to secure things.

    4. Re:News for nerds? by arth1 · · Score: 2

      Its news, but it's not as big as many people think.

      It's also not a zero-day. When a disclosure happens before the exploit, it's not zero-day. And when a patch is already out, like for Red Hat, it's definitely not zero-day.

      Is it a bug that needs fixing? Absolutely. But this isn't anything to worry overly much about. There are a lot of other things to worry about with grub2, which isn't exactly the pinnacle of elegant design.

    5. Re:News for nerds? by Bengie · · Score: 2

      The boot information should be encrypted with the password. That way if the password is wrong and there's a bug in the validation, the attacker will won't be able to read the current information.

  2. This is not security by Froze · · Score: 4, Insightful

    In the majority of cases if you are interacting with the boot process then you have physical access to the machine. So unless GRUB is managing disk encryption you have access regardless of the password in GRUB. This is security theater, not real security and breaking it is not accomplishing anything significant.

    Next Story.

    --
    -- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
    1. Re:This is not security by bill_mcgonigle · · Score: 2

      Now with GRUB not really being password protected, an attacker can easily get to a privileged shell without a password

      true, but your root partition is encrypted with a good LUKS passphrase so all they can do is see your disks, similar to a USB boot. If you already password-protected your BIOS, have a physical lock on the battery, and epoxied all your ports shut, then, yes, this is a higher level of concern. Probably most people don't fall into that scenario, though (and if they do, trusted boot is a better solution).

      Clearly the bug is a problem, but the impact will be minimal.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. The troll awakens by Anonymous Coward · · Score: 2, Funny

    This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

    1. Re:The troll awakens by Crowd+Computing · · Score: 2

      This was a deliberate move by the FSF, because computers that need passwords aren't really free, are they?

      Title is obviously wrong. As you should well know, Grub is Not Linux!

      Seriously, the title is wrong, since Grub is a pre-OS environment used to load the actual operating systems, including not just Linux, but Windows and the BSDs. Saying this is a Linux bug is like blaming Microsoft for a BIOS bug.

  4. What about systemd-grub? by Anonymous Coward · · Score: 5, Funny

    The new systemd-grub leverages a pre-boot, machine-level dbus interface to policy-kit and systemd-logind, which will handle this for you. Why are people still in the dark ages with bootloader passwords?

  5. Yawn.... by Lumpy · · Score: 3, Insightful

    If someone has local access, they OWN the machine already. This is a minor inconvenience as zero security is given with a grub password anyways.

    --
    Do not look at laser with remaining good eye.
    1. Re:Yawn.... by 0ld_d0g · · Score: 2

      If someone has local access, they OWN the machine already.

      Using that logic, nobody should be required to enter a password at a local console.

      This is a minor inconvenience as zero security is given with a grub password anyways.

      "Hey guys we have this new password feature, but its completely useless so don't use it or ever rely on it."

  6. Of course this is security by paskie · · Score: 2

    That's so silly - physical access to the machine doesn't mean anything per se!

    What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

    One can easily even use an AVR that'll replay the keypress sequence over USB (posing as a keyboard) on a button press. This is something completely different than taking the machine apart to clear CMOS or whatever.

    BTW, can you have UEFI trusted boot with GRUB, or do you need coreboot? (Yes, there are people other than Microsoft using it, e.g. when selling appliances - think vote machines or gambling terminals.)

    --
    It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
    1. Re:Of course this is security by Anonymous Coward · · Score: 3, Interesting

      What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

      That is like the most contrived example ever. Perhaps you shouldn't take use cases from Hollywood flicks?
      We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.
      More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.

  7. Re:.04 versions? by spirtbrat · · Score: 3, Informative

    It's a boot loader. And as boot loaders go, GRUB2 is already packed with features. What more do you expect it to be developed?

  8. Re:"Many eyes make all bugs shallow..." by segedunum · · Score: 2

    There's not exactly many eyes on this code.

  9. Re:Slackware for the win by Viol8 · · Score: 3, Informative

    Sadly slackware also appears to be slowly winding down. Sure its still being updated on an ad hoc package by package basis, by there hasn't been a full distro release for 2.5 years now. Thats not a good sign.

  10. tl;dr by SharpFang · · Score: 3, Informative

    press backspace 28 times [enter]
    write_word 0x7eb514e 0x90909090[enter]
    normal[enter]
    Enter 'edit mode'
    append init=/bin/bash to the linux entry
    F10

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:tl;dr by blazerw · · Score: 2
      Or better yet:
      1. Turn on computer.
      2. Choose OS.
      3. Boot.

      Because NOBODY uses the grub password feature.

  11. Re:Slackware for the win by DarkOx · · Score: 3, Informative

    Slackware is not winding down. There has not been a release because there has been little reason for one. With so much in flux Systemd, X/Wayland, GCC 5 stabilizing, and XFCE Slackware's 2nd of 2 DE's having only recently itself having a major release 14.1 has aged well. I think figuring out where udev/eudev were going also has held things up a bit.

    The changelog has been very active the past couple months. Patrick is making noise about 'betas' etc and the other developers like Robby and Eric are also hinting. A new release is coming.

    What you have to realize about Slackware is, releases are not done for their own sake. They done for the sake of major changes and improvements. Slackware only implements major changes / forklifts when its clear they won't be walking back those changes or replacing them again with something else in the near future. Slackware really takes stability and consistency very very seriously.

    The 'faster' thing move in the Linux ecosystem the longer the Slackware team has to wait for the dust to settle.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  12. Re:Slackware for the win by goarilla · · Score: 2

    Slackware is close to a new release ftp://ftp.osuosl.org/pub/slack....
    It just has taken longer than usual because upstream is in great turmoil and some hard decisions needed to be made regarding:
    ConsoleKit/systemd (consolekit2), udev/systemd (eudev) and KDE (probably still KDE4).

  13. Re:.04 versions? by omnichad · · Score: 2

    Because GRUB developers had 0 days to develop a patch because it was already known from the outside. They can exist far longer and still be zero-day.