A Pair of Spanish cybersecurity researchers have discovered a Linux vulnerability that could allow anyone with physical access to a system to log in without a password and launch a variety of attacks. The vulnerability, found in versions of the commonly used Grub2 (GNU Grand Unified Bootloader) bootloader released since 2009, can be exploited by hitting the backspace key 28 times. Named CVE-2015-8370, the vulnerability has a medium severity rating, according to the National Institute of Standards and Technology’s National Cyber Awareness System notice. The bug can be easily fixed, according to the researchers who discovered it, and a number of patches are now available.
Introduced into the Grub coding in December 2009, the vulnerability has raised some suspicions that it might be the work of the National Security Agency or a similar organization. A commenter on reddit’s Linux thread, for instance, noted, “This is exactly the kind of highly-useful bug with plausible deniability that I’d expect to be introduced ‘accidentally by governmental agencies’s agents.”
‘Incalculable Number of Affected Devices’
Hector Marco-Gisbert and Ismael Ripoll, members of the cybersecurity group at Spain’s Polytechnic University of València, published their description of the Grub2 authentication bypass zero-day vulnerability on December 14, several days after disclosing it to CCN-CERT, the Spanish National Cryptologic Center.
“Grub2 is the bootloader used by most Linux systems including some embedded systems,” Marco-Gisbert and Ripoll said in their description of the vulnerability. “This results in an incalculable number of affected devices.”
The researchers said they were able to exploit the vulnerability using QEMU (short for Quick Emulator) running Debian 7.5. The bug allowed them to obtain a Grub rescue shell, from which they could gain entry to the system without a username or password, and potentially introduce malware, destroy data or launch a denial of service attack.
Easy Check for Bug
Users can quickly and easily check for the vulnerability in their systems by pressing the backspace key 28 times when Grub asks for a username, according to Marco-Gisbert and Ripoll. “If your machine reboots or you get a rescue shell then your Grub is affected,” they said.
In addition to fixes being made available by GNU/Linux vendors, an emergency patch was also posted by the researchers on the main Grub2 Git repository. Any GNU/Linux user with Grub2 using password protection should update to a patched version, even if the attack described by the researchers is not easily launched without physical access to a system and could require significantly different approaches on different systems.
“As can be seen, the successful exploitation depends on many things: the BIOS version, the GRUB version, the amount of RAM, and whatever that modifies the memory layout,” Marco-Gisbert and Ripoll noted. “And each system requires a deep analysis to build the specific exploit.”