New BootHole Vulernability Revealed: Impacts 'Billions' of Devices


Level 36
Nov 10, 2017
Turns out Secure Boot is not secure

Eclypsium, a company that specializes in enterprise security solutions, revealed a new vulnerability that allows attackers to gain near-total control of WIndows or Linux systems. The company says that billions of devices are vulnerable, like systems ranging from laptops, desktop PCs, servers and workstations to other types of devices, like special-purpose equipment used in industrial, healthcare, financial, and other industries.

The attack exposes a vulnerability in the UEFI Secure Boot framework that normally prevents unauthorized access to the system during boot time. By compromising Secure Boot, attackers can then use malicious UEFI bootloaders to gain unfettered access and control of the system. Luckily, this attack requires elevated privileges to exploit, which means it would be hard for outside entities to attack a system without some level of insider knowledge or having already gained access to credentials through other means.


Level 14
Jan 21, 2018
I'll add a few more articles on this story.

I'm glad to see that this topic got posted yesterday. It wasn't showing on the site when I started a similar thread with these links on this story after I did a number of searches for this topic. I guess that this thread was still waiting for approval at that time too.


Staff member
Malware Hunter
Jul 27, 2015
Due to a weakness in the way GRUB2 parses its configuration file, an attacker can execute arbitrary code that bypasses signature verification. The Boot Hole vulnerability discovered by Eclypsium can be used to install persistent and stealthy bootkits or malicious bootloaders that operate even when Secure Boot is enabled and functioning correctly. This can ensure attacker code runs before the operating system and can allow the attacker to control how the operating system is loaded, directly patch the operating system, or even direct the bootloader to alternate OS images. It gives the attacker virtually unlimited control over the victim device. Malicious bootloaders have recently been observed in the wild, and this vulnerability would make devices susceptible to these types of threats.

All signed versions of GRUB2 that read commands from an external grub.cfg file are vulnerable, affecting every Linux distribution. To date, more than 80 shims are known to be affected. In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue. As a result, we believe that the majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities. Additionally, any hardware root of trust mechanisms that rely on UEFI Secure Boot could be bypassed as well.


Level 74
Content Creator
Malware Hunter
Aug 17, 2014