Major Linux Distros Address “BootHole” Bug: Upgrade Your System Now


Recently, security research firm Eclypsium made public a new “BootHole” vulnerability, which affects most Linux distributions and Windows devices using GRUB2 bootloader with Secure Boot.

Since GRUB2 is the most popular and used bootloader in Linux distros, systems are now vulnerable to attacks. Even when Secure Boot is enabled, attackers can gain near-total control of the victim’s device.

However, the attack can be initiated in very limited situations where attackers must have root access to edit the GRUB2 config file. Now to mitigate BootHole flaw, operating systems using GRUB2 with Secure Boot need new signed installers and bootloaders.

Linux Distros Respond To BootHole

Fortunately, Eclypsium has already responsibly coordinated with major Linux vendors and OEMs. Hence, in response to BootHole, security teams at Red Hat have released security fixes for its several affected products and are still in process for others as well.

Debian developers are also aware of BootHole and are doing an in-depth audit of GRUB2’s source code. Since Debian 10 “buster” was the first Debian release to include support for UEFI Secure Boot, the security team has targeted including all fixes in the upcoming 10.5 point release on August 1, 2020.

Marcus Meissner, the lead of the SUSE Security Team, informed that SUSE has also released new grub2 packages that fix BootHole vulnerability for all SUSE Linux products. Alongside this, it has also released corresponding Linux kernel packages, cloud images, and installation media updates.

Speaking of the most popular Linux distros, Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS have also received updates for GRUB2 bootloader in 2.06 from the Canonical security team.

Going further, the team has also discovered seven more vulnerabilities, including CVE-2020-14308CVE-2020-14309CVE-2020-14310CVE-2020-14311, CVE-2020-15705CVE-2020-15706, and CVE-2020-15707.

So, if you’re using any of these Linux distros with GRUB2 bootloader, you should update your system, specifically GRUB2 packages, as provided by the distro maintainers. For other Linux distros, new patches will soon arrive.

Sarvottam Kumar

Sarvottam Kumar

Sarvottam Kumar is a software engineer by profession with interest and experience in Blockchain, Angular, React and Flutter. He loves to explore the nuts and bolts of Linux and share his experience and insights of Linux and open source on the web/various prestigious portals.
More From Fossbytes

Latest On Fossbytes

Find your dream job