It would appear that the GRUB2 bootloader contained several security vulnerabilities, including BootHole which could allow a local attacker to bypass the UEFI Secure Boot.
Developers from several popular GNU/Linux distributions coordinated the release of updates for the GRUB2 bootloader, which is used in almost all distros to allow users to patch their systems against no less than eight security vulnerabilities, the most serious of them all being dubbed as BootHole (CVE-2020-10713) and discovered by Jesse Michael and Mickey Shkatov from Eclypsium.
Canonical reports today that they’ve been aware of the BootHole vulnerability since April 2020, and they worked with many developers from other well known Linux distributions, such as Debian, as well as developers from Microsoft to mitigate the security issue and release updates for users.
But before releasing updates for the GRUB2 bootloader to address the BootHole vulnerability, Canonical’s security team decided to look for other possible vulnerabilities and it turns out they discovered seven more, including CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, and CVE-2020-15707.
As you can imagine, most Linux-based operating system using GRUB2 as default bootloader and supporting Secure Boot are affected. Therefore, many popular GNU/Linux distributions are currently in the process of have already released updates to mitigate these serious security vulnerabilities.
“There has also been a lot of work behind the scenes to coordinate with OEMs and other vendors who ship Ubuntu, as well as the cross-distribution coordination discussed above. All of these efforts have helped to ensure that Ubuntu and other major Linux distributions could ensure their users were also protected,” said Canonical.
To patch your Linux systems against the BootHole vulnerability and all the other recently discovered flaws, you must update the GRUB2 packages to the latest version that should be available in the stable repositories of your favorite distro shortly.
Of course, most Linux vendors and OEMs will also have to update their systems as soon as possible, but if you’re installing a distribution on a computer using the currently available ISO releases or just bought a Linux computer, make sure to updated it immediately after the installation.
Update 05/08/20: On some BIOS systems with pre-UEFI or UEFI configured in Legacy mode this GRUB2 update cause boot failure issues. Canonical released today updated GRUB2 packages to address the boot regressions caused by the previous versions.