GNU/Linux has a massive flaw in Grub, its ubiquitous bootloader. Just by hitting a few keys, you can completely pwn a Linux box—including many embedded devices.
The “Grand Unified Bootloader” had a weird vulnerability added in 2009. Was CVE-2015-8370 introduced into GRUB2 by a government agency, such as the NSA?
If you think this has a happy ending, you haven’t been paying attention. In IT Blogwatch, bloggers pay attention.
Your humble blogwatcher curated these bloggy bits for your entertainment.
Win or die: Is there is no middle ground? Rob Williams plays the game—Hitting Backspace 28 Times Grants Access To Data On Most Linux Systems:
Hector Marco & Ismael Ripoll...at the Polytechnic University of València, recently discovered a flaw...that gets triggered when the Backspace key is hit a very specific number of times.
It's very likely that your distro of choice has also rolled out an update, so [make] sure your PC is as secure as possible.
Linux is dark and full of terrors, eh? Marius Nestor looks as if he’s seen a ghost—Zero-Day GRUB2 Vulnerability Hits Linux Users, Patch Available for Ubuntu, RHEL:
All users of GNU/Linux distributions who have GRUB2 installed as the default bootloader and use password protection are urged to update.
A new GRUB2 version is now in the testing repositories of Arch Linux. ... Debian GNU/Linux has patched only the Squeeze LTS branch. Red Hat has also managed to patch...the Red Hat Enterprise Linux 7 operating system.
So who are these Spanish researchers? Hector Marco and Ismael Ripoll—Back to 28: Grub2 Authentication 0-Day:
A vulnerability in Grub2 ...versions from 1.98 (December, 2009) to 2.02...allowing local attackers to bypass any kind of authentication.
An attacker who successfully exploits this vulnerability will obtain a Grub rescue shell...a very powerful shell allowing elevation of privilege...information disclosure [or] denial of service.
Hmm, suspicious, right? DaGranitePooPooYouDo thinks so, too:
This is exactly the kind of highly-useful bug with plausible deniability that I'd expect to be introduced "accidentally" by governmental agencies's agents.
[I] still cannot see the commit but I've found a fragment, "b391bdb2f2c5ccf29da66cecdbfb7566656a704d, 06-Dec-2009, Vladimir 'phcoder' Serbinenko, Use dedicated simple password retriever for size of future crypto..."
He appears to have an interest in Grub and PGP. Started coding for GRUB in Spring of 2009'ish.
How big an issue is this really? Not so much, thinks Froze:
If you are interacting with the boot process then you have physical access...regardless of the password in GRUB. This is security theater...breaking it is not accomplishing anything significant.
Well, yes, but no. Ever heard of multi-layered security? You can’t teach 0ld_d0g n3w_tr1ck5: [You’re fired -Ed.]
Using that logic, nobody should be required to enter a password at a local console.
"Hey guys we have this new password feature, but it's completely useless so don't use it or ever rely on it."
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or email@example.com.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.