Recent BootHole vulnerabilities reconfirm that security functions require additional scrutiny to protect users and systems from dangerous exploits.
The recent BootHole and related vulnerabilities raise the question of whether software used for critical security functions should have special scrutiny. When a security operation fails the ramifications are considerable, especially when the security process is widely distributed. Heartbleed, a critical vulnerability found in the OpenSSL library, is an example and BootHole is the most recent.
The BootHole vulnerability was discovered by Eclypsium in April 2020 but was not disclosed until July 28. It took nearly four months to remediate because many stakeholders were involved. The Eclypsium researchers found a buffer overflow in GRUB2 (GRand Unified Bootloader version 2), which is the default bootloader in most Linux OS distributions. Gaining control of a bootloader is an ultimate prize for attackers (and their malware) because it provides persistent access to a device.