[conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu Jul 30 01:12:15 PDT 2020


> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: [conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...
> Date: Wed, 29 Jul 2020 19:11:00 -0700

> ----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
>
> Date: Wed, 29 Jul 2020 18:46:43 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: felton-lug at googlegroups.com
> Subject: Re: [Felton LUG] Oh boy, this doesn't look good...
> Organization: If you lived here, you'd be $HOME already.
>
> Quoting Wayne (Wayne at TradeTimer.com):
>
>> https://www.bleepingcomputer.com/news/security/boothole-grub-bootloader-bug-lets-hackers-hide-malware-in-linux-windows/
>
> Whenever I see there's a news or analysis item about Linux security at
> any popular-news IT site, including at a popular-news infosec site like
> BleepingComputer.com, I expect the news item to be misleading (if not
> mistaken in places).
>
> This particular news item seems to be basically correct, but arguably
> maybe a little misleading, depending on how one parses it.  Summary:

"severe vulnerability exists in almost all signed versions of GRUB2  
bootloader"
<cough, cough>
Bug, sure.  Even a security bug.  But severe?  Come now.
So, how many hundreds of thousands, or millions or more,
computers have been taken over by bad actors by this
"severe" vulnerability.  Oh, a few research computers in a security
research lab ...
where the researchers were given unrestricted root access on these
hosts?  Uh huh.  Tell me again about how "severe" this
vulnerability is.

These may (mostly) give a better approximation of reality:
https://lists.debian.org/debian-security-announce/2020/msg00141.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10713
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/#breaking

And GRUB2 ... a great big giant bloatware featureful piece of
sofware.  No security bug would ever sneak into that.  I mean GNU
has never done bloatware <cough, cough> or had security bugs
<cough, cough> or other stupid bug <cough, cough> from such
bloated software before, so why should we expect such bugs
in GRUB2?  Oh, that latest 'lil Debian update?  It only fixes
a mere 7 security bugs/issues in GRUB2 ... oh, and that's for
production ("stable") ... let alone anything that might've been
too buggy/unstable for Debian to release it to production
("stable").  And that's just the latest such GRUB2 update
from Debian.

You want severe?  How 'bout something like this:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902
https://www.kb.cert.org/vuls/id/290915
... somebody did something dumb in their software and ...
that combined with their default configuration (at least
relevant part of which often doesn't get changed/"fixed"),
super easy remote root compromise from network ... and where these
are typically deployed, ... access from The Internet, as they're
generally used for load balancers and such on The Internet for
inbound traffic (e.g. web).  So, if y'all got an f5, and haven't
already fixed that by now, your f5 device is probably already
compromised.

So ... tell me again how any unauthenticated user on The Internet
can exploit this "severe" GRUB2 vulnerability?
This GRUB2 one severe?  Severe my <expletive deleted>.




More information about the conspire mailing list