A new zero-day vulnerability was discovered for the Grub bootloader that allows attackers to bypass Grub password authentication. A security notice released by researchers Hector Marco & Ismael Ripoll states that Grub versions 1.98 (December, 2009) through 2.02 (December, 2015) are affected by this bug. All Linux users should immediately check if a new version of Grub is available that resolves this vulnerability.

Press Backspace key 28 times when asked for a username
GRUB Rescue Shell

To check if your system is vulnerable, simply press the Backspace key 28 times when GRUB asks you for your username. If your machine reboots or you get a GRUB Rescue Shell, then your GRUB is affected. It should be noted that this vulnerability can only be exploited if a hacker has local access to the system. The bug (fault) in the code of GRUB is that there are two functions grub_username_get() & grub_password_get() which suffer from integer underflow fault. This means that these two functions do not check whether the value of the integer is in a certain range and this leads to the fault.

An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:

  • Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub's console (grub rescue).
  • Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit.
  • Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS.

The main vendors of Linux distributions are already aware of the problem and a patch should soon be made available to everyone. The security researchers have also created an “Emergency Patch” in case someone wants to fix this vulnerability on a Linux distribution which hasn’t received an update till now. To patch the vulnerability manually, make sure that Git is installed on the system before entering the below commands:

$ git clone git://git.savannah.gnu.org/grub.git grub.git
$ cd grub.git
$ wget http://hmarco.org/bugs/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
$ git apply 0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch

 

Related Articles:

Signal says there is no evidence rumored zero-day bug is real

Widely used modems in industrial IoT devices open to SMS attack

Black Basta ransomware gang linked to Windows zero-day attacks

Check Point releases emergency fix for VPN zero-day exploited in attacks

QNAP QTS zero-day in Share feature gets public RCE exploit