Weekly Newsletter is Misleading

[ohmc.rgibson]

I have been looking for contact information for Anton Gostev, but I have been unable to find any; I would have posted this privately.

I love the Veeam B&R product and am working on obtaining a requisition to nearly double our investment in the software, but I am a disappointed customer from a communications standpoint.

I received this week's newsletter regarding a 0-day exploit for Grub2 which can be exploited by simply pressing the backspace key 28 times. The link provided in the body of the message did offer an objective and accurate representation of the actual vulnerability.

What a rubbish piece of FUD reporting this summary in the newsletter was...

Let me review a few key points:

1. This bug is not in "Linux" but in the most commonly used bootloader in Linux distributions. They are separate components.
2. This CVE requires that the user use a password during the bootloader process. This is very unlikely. Servers are generally configured to reboot without a password, and laptop are generally protected by a passphrase for filesystem encryption, not at the bootloader stage.
3. This bug is a LOCAL exploit only. Most security researches will tell you that if someone has access to the local console (either via physical console or virtual via VMware, Hyper-V, Virtualbox), you're too late anyway. If they reboot to break Grub, they can just boot to another bootloader (via USB, optical disc, etc) or remove the HDD to another system altogether.

Does this bug need wide reporting? Yes.
Is this a silly bug for folks to laugh at? Sure.
Is this bug the worst vulnerability of all time? No.

Responsible sysadmins (generally your target audience via this newsletter) are going to have already patched the problem, as the fix has already been released in all of the major distributions. Home users are generally unlikely to even be affected based on item 2 of my bullet points.

Due to this misleading click-bait of a summary, I now have to spend another 30 minutes of my day explaining to my boss and our InfoSec team why this is not a problem.

[Gostev]

Hi, Ron. You could have just replied to the digest email, or send me a private message on these forums

I am happy to hear this vulnerability is not a concern in your specific environment.

However, there are high security environments which lock down boot loader access to prevent unauthorized disk content access, installation of rootkits such as keyloggers, credit card number monitors etc. by data center staff, and they would be affected by this vulnerability. In fact, some of them are legally obliged to ensure such access is locked down, and are required to take an immediate action to enforce this (for example, financial institutions).

Besides, since Grub2 is the bootloader used by most Linux systems including embedded systems (think public terminals), we are talking about potentially huge number of affected devices. So, I feel this vulnerability is extremely important to be aware of at least for some of our customers.

Based on the summary towards the end of your post, we agree on most points anyway? Note that I never said this bug is the worst vulnerability of all time. I did say it is the most epic, because this issue clearly demonstrates that the whole pitch of Linux being more secure "because it is open source, and thousands of people can immediately see and fix the issue (unlike with Windows)" is one big nonsense. In reality, even such an obvious flaw as bypassing the requirement to enter the valid password in a base component of most Linux systems (sic!) was able to remain in the open-source code for 6 years without being noticed. THIS is the point I was trying to make by "epic".

I appreciate that my pitch may have made more people nervous than necessary, but hey - better be safe than sorry. Most people would not probably even read this paragraph carefully, if I did not make some strong statements (so, you are definitely right about "click-bait", this was on purpose).

Thanks!

[tslattery]

"I did say it is the most epic, because this issue clearly demonstrates that the whole pitch of Linux being more secure "because it is open source, and thousands of people can immediately see and fix the issue (unlike with Windows)" is one big nonsense."

No it does not. Your commentary on the issue is extremely embarrassing from a technical perspective and very clearly FUD. Declaring "every Linux system was far more easily exploitable than Windows 95 with no patches installed" shows that you either don't understand the issue at all or simply have an axe to grind.

[ohmc.rgibson]

My apologies for not finding either of those methods of contacting you privately; I rarely see digest mailboxes being monitored anymore.

My only whole point is that this vulnerability in the bootloader is, in one important way, meaningless.

This exploit requires local console access, and if a determined attacker has access to the local console, a password on the bootloader is a moot point.

A high-security environment which doesn't protect physical access to the console of the device is doing it wrong. It would be better to protect the installed Linux system with an encrypted filesystem.

If you are able to gain access to the local console, then you can substitute the boot loader at your leisure. Again, USB flash drive or DVD loaded with Knoppix would bypass the local Grub. If you're really worried about that level of security, then turn on TPM and lock your servers in a cage to prevent that level of access. Disable boot from USB, optical drives, and network interfaces.

And a limited-impact, local exploit is hardly: "every Linux system was far more easily exploitable than Windows 95 with no patches installed." The network isn't even available at this time, making this a very apples to oranges comparison.

To your point about a bug existing for years without a fix in open-source, you're right. It shouldn't have been there. Neither should have the NTP or OpenSSL bugs from the last two years. Problem is, fixing security on infrastructure services isn't sexy compared to the latest Javascript framework or mobile platform. I am as guilty of not assisting those projects with fixing security bugs as anyone else, but I also recognize that the pool of eyes looking at vital projects like those is very shallow. We will have items like this from time to time, and the responsible thing to do is to talk about it objectively and with the proper level of candor.

[Gostev]

@Thom If understanding of my statement really matters to you, then I have already explained above what I was trying to say. If you think it shows something else, that's fine too - but I cannot comment on your understanding of my statement.

My only whole point is that this vulnerability in the bootloader is, in one important way, meaningless.

This exploit requires local console access, and if a determined attacker has access to the local console, a password on the bootloader is a moot point.

I think we can agree to disagree on this one.

And I just did a quick Google search, so at least I know I am not alone here - some major IT publications appear to be making almost exact same points I have made in my earlier post regarding the impact on locked-down systems > Vulnerability in popular bootloader puts locked-down Linux computers at risk

Pressing the backspace key 28 times can bypass the Grub2 bootloader’s password protection and allow a hacker to install malware on a locked-down Linux system.

GRUB, which stands for the Grand Unified Bootloader, is used by most Linux distributions to initialize the operating system when the computer starts. It has a password feature that can restrict access to boot entries, for example on computers with multiple operating systems installed.

This protection is particularly important within organizations, where it is also common to disable CD-ROM, USB and network boot options and to set a password for the BIOS/UEFI firmware in order to secure computers from attackers who might gain physical access to the machines.

Without these boot options secured, attackers or malicious employees could simply boot from an alternative OS—like a live Linux installation stored on a USB drive or CD/DVD—and access files on a computer’s hard drive.

Of course, it’s also possible for an attacker to remove the drive and place it in another machine that doesn’t have these restrictions, but there can be other physical access controls in place to prevent that.

And I totally agree with you on the below. Commercial software ensures said "pool of eyes" and close attention to each piece of the code due to the dedicated commands. While with open-source, you are always at risk. And I am not saying this risk is necessarily unjustified (there are many benefits too, like being able to respond to a critical vulnerability immediately yourself vs. waiting for the official patch). Nevertheless, it is a very real risk that needs to be accounted for - but because it is not talked about enough, this caused a wrong perception of Linux (and other open-source OSes) being a more secure choice than Windows.

To your point about a bug existing for years without a fix in open-source, you're right. It shouldn't have been there. Neither should have the NTP or OpenSSL bugs from the last two years. Problem is, fixing security on infrastructure services isn't sexy compared to the latest Javascript framework or mobile platform. I am as guilty of not assisting those projects with fixing security bugs as anyone else, but I also recognize that the pool of eyes looking at vital projects like those is very shallow.