48

I just read a few articles about a new Grub vulnerability. The article said that you can bypass the password protection by pressing backspace twenty eight times.

I am a security guy and I am concerned about the vulnerability, so I would like to know what measure is GNU and Linux taking? Is there a security update/fix/patch and can I do anything myself to keep my computer secure? I always keep my OS, web browser, and programs up to date, so will that help?

Here are the articles:

Improve this question
3
  • 4
    The link k from your comment says 'Ubuntu, Red Hat, Debian and probably other distributions too, have released fixes for this flaw.'. Doesn't that answer your question?
    – Neil Smithline
    Commented Dec 17, 2015 at 20:08
  • 2
    Also asked earlier at unix.stackexchange.com/questions/250028 .
    – JdeBP
    Commented Dec 17, 2015 at 22:36
  • 21
    It's a integer underflow bug where GRUB doesn't correctly check how much characters are left when you press backspace, and as a result it's erasing characters even though there's nothing more to erase, and by some low level black magic it manages to damage enough of its own memory to trigger an exception and bring up the rescue console while still leaving enough memory intact so that it can still work. I'll leave it to an experienced C developer to provide a detailed answer but here's a link with lots of details : hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
    – André Borie
    Commented Dec 18, 2015 at 0:55

2 Answers 2

Reset to default
100

The main thing that is happening is that the bug is being seriously overhyped.

  • Exploiting this vulnerability requires physical access to the computer during startup, and if you've got physical access, there are about a zillion ways you can bypass security.
  • The bug is about bypassing Grub2's internal password protection. Most users don't password-protect Grub2.
  • The bug is in the Grub2 bootloader. If you're using direct boot from UEFI, LILO, classic Grub, or any of the non-x86 bootloaders, you're not vulnerable to it.

If you're worried about this bug, install your distro's patch for it, but keep in mind that, except in unusual circumstances, the vulnerability doesn't actually reduce security.

Improve this answer
1
  • 14
    Exploiting this vulnerability requires physical access to the computer during startup - Not necessarily. For a while I had linux boxes attached to a serial console server, that was accessible via dialup modem for OOB. If an attacker was able to bypass the console server authentication, and then wait for a reboot, or force one, they could exploit things remotely. There are also KVM over IP setups that, if improperly configured might permit remote console access without any other physical access. Anyway, this type of setup, is very uncommon these days.
    – Zoredache
    Commented Dec 18, 2015 at 18:29
36

Your question is the first I've heard of this. Based on the articles you presented though you're probably plenty safe for 2 reasons:

A) The first article you linked says that the major distros have already patched this. If you keep up to date like you said, it should be fine. If not, the same article says the researchers who found the bug have released a patch you can install yourself

B) The attack isn't against the Linux kernel, it's against the bootloader. That means an attacker needs to have access to your machine itself, not just network access to it. So unless you have friends or family who are inclined to hack your computer while you sleep you should be safe.

Bonus) Once you have the physical access to a computer which you'd need for a hack like this (barring weird setups like network KVM switches) there are easier ways to gain control of the machine

Improve this answer
16
  • 1
    Many of your popular network KVMs are built into LOMs and can also do things like attach virtual USB or CD-ROM media or adjust boot order, so if someone's got admin access to one, it's pretty much game over regardless.
    – Charles Duffy
    Commented Dec 18, 2015 at 1:26
  • 4
    Easier than pressing backspace?!?
    – wizzwizz4
    Commented Dec 18, 2015 at 15:10
  • 3
    @wizzwizz4, ...yes. If I'm given the choice between plugging in a piece of bootable media I prepared and has a known set of software vs depending on the target system to have a specific, vulnerable bootloader, I'm going to carry my own media in (or attach it over the LOM, or such). Just getting a bootloader may not buy you much -- in these modern times when you need an initramfs to load half your drivers, not every distro makes it as easy as init=/bin/sh or single.
    – Charles Duffy
    Commented Dec 18, 2015 at 16:25
  • 1
    ...now, "easy" is admittedly a thing -- not all that hardware is cheap. (Then again, if it's good enough to get a record of keystrokes pressed, cheap will do fine).
    – Charles Duffy
    Commented Dec 18, 2015 at 22:44
  • 1
    I'm actually about to be getting hardware with the latest major release of AMI's Aptio, and you just gave me some small glimmer of hope that maybe I can coax firmware-level networking into working this time. Thank you. :)
    – Charles Duffy
    Commented Dec 18, 2015 at 23:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .