Multiple security vulnerabilities in GRUB affect Secure Boot

The GRUB Bootloader was affected by the “BootHole” vulnerability last year, and security issues impacted its UEFI Secure Boot support. Today, multi vulnerabilities in GRUB have been made public.

GNU GRUB is a bootloader from the GNU project. GRUB is an implementation of the multi-boot specification, which allows users to have multiple operating systems in the computer at the same time, and select the operating system they want to run when the computer starts. GRUB can be used to select different kernels on the operating system partition, and it can also be used to pass startup parameters to these kernels.

The predecessor of GNU GRUB was Grand Unified Bootloader. It is mainly used in Unix-like systems; like most Linux distributions, the GNU system also uses GNU GRUB as its launcher.

Ubuntu 19.10 ZFS

This time, it was discovered that GNU GRUB has multiple vulnerabilities, and these vulnerabilities may lead to bypassing UEFI Secure Boot restrictions. Local attackers with administrative rights can use these vulnerabilities to circumvent the signature check of the GRUB2 module, thereby being able to load any GRUB2 module that has not been signed by a trusted authority, and thus bypass UEFI Secure Boot.

The following are the CVEs assigned to these different vulnerabilities:
  • CVE-2020-14372
  • CVE-2021-20233
  • CVE-2020-25632
  • CVE-2020-27779
  • CVE-2021-20225
  • CVE-2020-27749
  • CVE-2021-3418
  • CVE-2020-25647

This set of vulnerabilities is another security crisis for Secure Boot, and it is also a blow to GRUB’s reputation. Major Linux distributions are working to release updated GRUB2 signed versions.