Lucene search

K
hpHP Product Security Response TeamHP:C06707446
HistoryJul 25, 2020 - 12:00 a.m.

HPSBHF03678 rev. 2 - GRUB2 Bootloader Arbitrary Code Execution

2020-07-2500:00:00
HP Product Security Response Team
support.hp.com
40

0.002 Low

EPSS

Percentile

57.1%

Potential Security Impact

Arbitrary Code Execution

Source: HP, HP Product Security Response Team (PSRT)

Reported By: Eclypsium, Inc.

VULNERABILITY SUMMARY

HP has been informed of a potential security vulnerability in GRUB2 bootloaders commonly used by Linux. This vulnerability, known as “There’s a Hole in the Boot” (also nicknamed “BootHole”), could allow bypass of UEFI Secure Boot and allow arbitrary code execution.

Additional GRUB2 vulnerabilities found in response to the initial report were included in the coordinated public disclosure.

More information on the vulnerabilities can be found in the Eclypsium blog: <https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/&gt;[__](<https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/&gt; “External site.” ) (in English).

> note:
>
> The computers running Windows are vulnerable as long as they allow booting the vulnerable versions of GRUB2.

On March 2, 2021, additional GRUB2 vulnerabilities were disclosed. Information on these vulnerabilities are available in the advisories from OS vendors below.

RESOLUTION

HP PCs will require an update to the Secure Boot Forbidden Signature Database (dbx) with the latest UEFI Revocation List File to prevent loading affected bootloaders and shims identified in the revocation list. HP has identified the affected platforms in the list below.

For Windows users, HP will use the industry-wide solution that will be released from Microsoft as detailed in Microsoft Guidance for Addressing Security Feature Bypass in GRUB (see above for the link to Security Advisory ADV200011).

For Linux users, distribution vendors will provide mitigated shims and GRUB2 bootloaders, as well as tools to update the dbx. Customers who install Linux on their platforms should check with their OS vendor on updates (see the links above).

Additional mitigation strategy:

For certain HP business platforms, customers can disable the MS UEFI CA Key in HP Computer Setup. Disabling the MS UEFI CA key will prevent loading of 3rd party devices signed by the key. Before applying any changes to this setting, be sure to have your BitLocker Recovery Key available and suspend BitLocker.