A new rootkit vulnerability called “Boothole has been discovered by security researchers for devices using GRUB boot loader (for dual booting to Linux or other O/S) … Rootkits that take over PCs during initial boot-up are less frequent than years ago due to improvements by Microsoft & the new UEFI standards — however multi-boot setups can introduce issues like this new threat below


Microsoft on Wednesday issued Security Advisory ADV200011 concerning a security bypass vulnerability for the Secure Boot protection scheme in machines using the Grand Unified Boot Loader (GRUB).  GRUB, currently at version 2, is used in Linux operating system distributions. However, the vulnerability (CVE-2020-10713) is present in all Unified Extensible Firmware Interface (UEFI) client and server machines “where Secure Boot trusts the [Microsoft] third-party UEFI CA [certificate authority],” the advisory noted.

A successful attack using the vulnerability permits attackers to “run arbitrary boot code on the target device,” which enables them to load “executables and drivers” on the device. It essentially would let attackers bypass Secure Boot, a protection scheme in UEFI-based machines, early on championed by Microsoft, that was designed to prevent malware from loading at the boot-process level. Such malware is typically called a “rootkit.”

The discoverers of the vulnerability, Portland, Ore.-based device security firm Eclypsium, aptly dubbed this vulnerability “BootHole.”  Eclypsium researchers are planning to talk about BootHole in a coming online presentation, starting on Aug. 5, with sign-up accessible at this page.  In a must-read description of both Secure Boot and the BootHole flaw, Eclypsium indicated in a blog post that most devices, Linux-based or otherwise, are subject to these exploits: