Grub2 Bootloader Security Bug Provides Password Bypass on GNU/Linux OS

Another major security vulnerability has hit the open source ecosystem following the announcement that an “incalculable number” of Linux-based systems can be hacked via a bootloader bug.

The bug, which security researchers disclosed on Dec. 10, affects systems that use Grub2, the current version of the GRUB bootloader. GRUB is the part of the system that runs soon after users turn on the computer. Its job is to load the Linux kernel or whichever other operating system (or a bootloader for it, as the case may be) users select.

On affected devices, pressing the backspace key twenty-eight times allows an attacker to bypass authentication mechanisms that have been set up to secure the system. This allows the attacker to gain access to a rescue shell without having to enter a password. From there, it’s possible to remove the authentication system entirely and then boot to the operating systems installed to disk, from which the attacker would have full access to all data on the system.

The bad news is that Grub2, as the default bootloader that ships with most mainstream GNU/Linux distributions, is widely used on devices that run open source platforms. That means lots and lots of devices — indeed, an “incalculable number,” according to the researchers who reported the bug — could be subject to this attack.

But there’s good news, too. The attack requires physical access to a device. It’s not something that can be executed remotely over the Internet.

Plus, most people don’t set up a password for the bootloader in the first place. It seems a safe bet that the vast majority of systems, despite running Grub2, would not actually be at risk from this bug because they would have nothing to exploit.

It’s worth keeping in mind, too, that any attacker with physical access to a computer — no matter which operating system or bootloader it has installed — can usually access the data anyway easily enough. He could, for example, just take the hard disk out and plug it into another machine. Full-disk encryption is a defense against this vulnerability, but few people encrypt their disks.

All the same, this is a significant security bug since it could theoretically impact hundreds of millions of devices. Its disclosure is the latest reminder to the open source community that — as Linus Torvalds himself put it recently, to the Washington Post’s consternation — perfect security is impossible.