Users of the popular bootloader may want to update their systems in order to mitigate the danger of this new exploit.
It’s been revealed that a series of bugs in GRUB2 compromises the chain of trust in a Secure Boot-enabled system. You can read about the full scope of the exploit here but the short of it is that arbitrary code can be executed by an attacker on virtually any system running GRUB2 and using Secure Boot. The attack allows modification of GRUB2’s configuration file and allows for privilege escalation which could potentially mean that intrusions can go undetected by booted operating systems.
Now, most of the risk comes from an attacker already having some level of privileges but this is still something that should give system administrators some pause. And while Windows systems are theoretically vulnerable as well, it’s far likelier that systems affected in the wild will be running Linux.
Researchers from Eclypsium were responsible for identifying this vulnerability and have responsibly disclosed the bug to maintainers and the wider ecosystem. Expect package updates in your distro sometime soon. Even then, updates aren’t a complete solution as the keys that Secure Boot rely upon also have to be updated and older ones blacklisted. The Debian project have a good overview of what should be done and I expect that other distributions will follow suit with their own advice on how to deal with this exploit.
GRUB2’s code has been audited since the initial disclosure and a series of other bugs have also been found in the last few weeks. While many users will ultimately be unaffected by this exploit it’s still a good reminder to keep your system up-to-date and keep an eye out for security advisories.