linux Zero-Day GRUB2 Vulnerability Hits Linux Users, Patch Available for Ubuntu, RHEL

[vissha]

Zero-Day GRUB2 Vulnerability Hits Linux Users, Patch Available for Ubuntu, RHEL

 

 

GRUB password protection can be bypassed

 

Quote

Accoding to Canonical'a latest Ubuntu Security Notice, it would appear that there's a zero-day security vulnerability in the GRUB2 (GNU GRand Unified Bootloader) packages, affecting all GNU/Linux distributions running 2.02 Beta.

 

The security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages, which did not correctly handled the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection.

 

Canonical confirms that the security issue affects all supported Ubuntu Linux operating systems, including Ubuntu 15.10 (Wily Werewolf), Ubuntu 15.04 (Vivid Vervet), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin), as well as their derivatives, urging users to update their GRUB2 packages immediately.

 

"A vulnerability in GRUB2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer," said Hector Marco.

All GNU/Linux distribution are affected

 

All users of GNU/Linux distributions who have GRUB2 installed as the default bootloader and use password protection are urged to update to the latest GRUB2 version available at the moment of writing this article. At the moment, it looks like only a few OSes received the patched GRUB2 versions, but a new GRUB2 version is now in the testing repositories of Arch Linux.

 

This zero-day GRUB2 vulnerability has numerous implications, which you can read in detail on Hector Marco's comprehensive report, tagged as "Grub2 Authentication Bypass 0-Day" and documented as CVE-2015-8370. Debian GNU/Linux has patched only the Squeeze LTS branch. Red Hat also managed to patch the GRUB2 packages in the Red Hat Enterprise Linux 7 operating system.

 

Source

[Holmes]

I have noticed alot of linux vulnerability this linux vulnerability that sounds like linux is not much safer then windows is and truthfully it isnt operating systems are different the code that makes them is a high level language linuxx is written in C and windows is written in C C++ and intel MAC OS X is writting in objective C if I went to mac os x or linux and decided to unpack a packed excutable I grab a hex editor a program like ollydebugger take the executable and unpack it and there we go assembly language is the same as is hexadecimal:

 

http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

 

According to that the amount of vulnerabilities in linux is higher then the amount of vulnerabilities in windows (thats a two thousand forteen report only a year off) vulnerabilities are not bias they dont target one platform and not a different one vulnerabilities are a equal opportunity attack method.

[steven36]

yep already updated it  there was update for it in Linux mint and Xubuntu 

 

At lest i didn't have to wait up too 3mths  to patch it like I would if i was on windows and one of there 0days.

[Holmes]

Three months patch tuesday is every month not three and there are zero day vulnerabilities in linux same with windows and if that many vulnerabilities are in linux in two thousand forteen how many of that incldues zero days none Im predicting and linux is just as suscepible to zero days as windows.  I know I dont use linux yet and using that mentality I dont have a right to bitch to some users thats just like saying if a spanish person does something to piss me off and I decided to not attack or punch them I dont or speak spanish NO I would punch them in there freaking head not saying Im not going to attack you I dont know spanish.

[vissha]

5 minutes ago, Holmes said:

Three months patch tuesday is every month not three and there are zero day vulnerabilities in linux same with windows and if that many vulnerabilities are in linux in two thousand forteen how many of that incldues zero days none Im predicting and linux is just as suscepible to zero days as windows.

 

Stop!!! Don't continue with the argument.

 

The final statement is all OS have vulnerabilities and it is patched in different time-interval basis. Also, don't think Windows is better than Linux or Ubuntu[especially] or TailsOS in patching vulnerabilities. I think you are not aware that Ubuntu is the secure OS than Windows and Mac OS X.

[Holmes]

Three months patch tuesday is every month not three and there are zero day vulnerabilities in linux same with windows and if that many vulnerabilities are in linux in two thousand forteen how many of that incldues zero days none Im predicting and linux is just as suscepible to zero days as windows.  I know I dont use linux yet and using that mentality I dont have a right to bitch to some users thats just like saying if a spanish person does something to piss me off and I decided to not attack or punch them I dont or speak spanish NO I would punch them in there freaking head not saying Im not going to attack you I dont know spanish.  Sometimes zero days take sometime because times when malwarebytes said there was a zero day in winrar winrar said its wasnt a zero day or a vulnerability malwarebytes admitted they were wrong that happens microsoft wants to make sure that there taking time out of there busy schedule to fix and patch yes patching is fixing if they release a patch and fix a error and it doesnt come back I guess its not fixed right wrong fix and patch the zero day.

[steven36]

When ever there's a 0day with any software has a 3mth grace period before they make the exploit public . Google got in hot water for posting exploits  before they patched them in windows last summer  . By the time its patched  it could be out 3 mths. By the time  the press gets info a patch is already out and its yesterdays news .

[Holmes]

Exactly all software is vulnerable and the three month grace period corresponds to when they can make it public I dont agree with the whole public crap who cares about the time interval make it public after microsoft fixes it dont put pressure on them WTF.  That annoys me microsoft needs a dedicated team for zero days like google has project zero that way three months bullsh*t is not forced onto them i doubt when microsoft gets a zero day team they would stop accepting zero day fixxes from google and different companies and that why they need to fix the three month crap.

[steven36]

See what happened back in the summer Google researchers  were posting exploits because M$ didn't patch them  right away instead doing on patch tues they held it off tell next patch tue . The argument  was if they post them before than hackers can exploit them.  Most exploits  that researchers  come up with  probably would never get exploited no way. Hackers come up with there own 0days  witch are being exploited in the wild and these need too patched right away not latter on.

[Holmes]

I dont fear the zero days security researchers come up with as they arent gooing to use them for nefarious purposes.  If microsoft decides to hold off on fixing a patch its not patch tuesday yet thats wrong they need to fix NOW.  I have noticed alot of zero days being discovered by security researchers over the years and the grace period crap dont get me wrong I like that the security researchers spotted the zero day in the code they reverse engineered or hacked into I just dont like the fact that they want to put users everyday users computer at risk because of this grace period crap.  They wouldnt get exploited unless a malicious attacker hack the code themselves and ended up finding the same exact one thats not going to happen if they dont make the news they ended up finding a zero day and describing it.  Finding a zero day is like finding a needle in a haystack in a way why Windoows xp had about ten million lines of code windows seven has just under forty million lines of code and windows eight my prediction is ten to twenty million additional lines of code then windows seven.

[steven36]

15 minutes ago, Holmes said:

I dont fear the zero days security researchers come up with as they arent gooing to use them for nefarious purposes.

Most likely they wouldn't  but Google would pay rewards  to anyone that comes up with and exploit . You don't know who they are not everyone in the world is out  to protect you .  If they can create exploits they could be harmful  if they wanted to be . So there's no way to know this at all.  But even if the researcher was not going to use it posting the code online  for other hackers to see can be most dangerous before its patched . Always since there was and internet long before Google  its been exploits but tell there in the wild they cant harm you .

 

That's the problem with the world  they think people , places and things are out to protect them . When most are just out to get you're money

[Holmes]

Of course google would reward them I would to.  Not everyone in the world is out out to protect you true same goes for out to get you to.  ALl exxploits are dangerous if put into the wrong hands I would prefer exploits be discovered by security researchers white hats then black hats white hats are the good guys have the possibility to be harmful as the possibility is always there the ones you have to worry about are the black hats.  The amount of time hackers in the world would have to see its posted online grab it and go use it is a very small window of opportunity.  Most hackers are out for curiosity to see if they can pull it off or money I think that unless the curiosity strikes them and they know they can pull it off and no money is involved users are fine.

[steven36]

 

2 minutes ago, Holmes said:

Of course google would reward them I would to.  Not everyone in the world is out out to protect you true same goes for out to get you to.  ALl exxploits are dangerous if put into the wrong hands I would prefer exploits be discovered by security researchers white hats then black hats white hats are the good guys have the possibility to be harmful as the possibility is always there the ones you have to worry about are the black hats.  The amount of time hackers in the world would have to see its posted online grab it and go use it is a very small window of opportunity.  Most hackers are out for curiosity to see if they can pull it off or money I think that unless the curiosity strikes them and they know they can pull it off and no money is involved users are fine.

But this topic is not about windows  but you try to make it out  to be . You try make Linux systems  seem bad  when its not .  It only took 6 days  for them  to put patch on my updater and its not generic . When it  has took M$ up too 90 days to fix there's?

 

Quote

The bug can be easily fixed just by preventing that cur_len overflows. The main vendors are already aware of this vulnerability. By the way, we have created the following "emergency patch" from the main GRUB2 git repository:

http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

 

There was a patch out 2 days ago they day it came out on the net if you  wanted to apply it. 

 

[Holmes]

I know this topic is not about windows soorry I got caught up in the thought that popped into my head.  Im not saying linux systems are bad linux is not bad Im simply saying its not as secure as some users make it out to be.  I havent really started learning linux full time yet If im going to use it I want to try to make all my applications work all my games work and watching movies and listen to music  Not all applications and games are compatible with linux some dont have linux versions.  Thats why Im kinda of hesitant to use linux for compatibility reasons.

[steven36]

13 minutes ago, Holmes said:

MoviesI know this topic is not about windows soorry I got caught up in the thought that popped into my head.  Im not saying linux systems are bad Im simply saying there not as secure as some users make them out to be.  I havent really started learning linux full time yet If im going to use it I want to try to make all my applications woork all my games work and watching movies and listen to music  Not all applications and games are compatible with linux some dont have linux versions.  Thats why Im kinda of hesitant to use linux.

Movies and music work fine on Linux . Just most of  the apps are open source ,  Only reason anyone  needs windows at home would  be to play some windows pc  games .  If you would had told me in 2014 that I was going to be Linux user I would told you was crazy.. I  was like you once . But  I don't have the money to waste on  everything I want   for windows  now all of my software is free I know longer have to buy software  or fool with cracks unless I get on my windows machine .  When I do get on windows and update my stuff I'm dieing to get back on Linux were  I fell free .

[Holmes]

The problem  is some of those open source applications are not for everyone meaning you might like them someone else might not like me Im very picky about what programs I use.  I doo have a feeling using cracks and such for software on linuxx is going to be aloot harder to find.  I buy some software not all If there is a demo of windows sooftware I try it before I buy it if there is no demo I find a hack or a crack and try it that way and I dont always buy windows software some of it is to expensive I agree the developers need to get paid for there work I dont agree about the price tag on alot of it.  Same prices go for linux well I dont know for a fact wouldnt surprise me.

[steven36]

20 minutes ago, Holmes said:

The problem  is some of those open source applications are not for everyone meaning you might like them someone else might not like me Im very picky about what programs I use.  I doo have a feeling using cracks and such for software on linuxx is going to be aloot harder to find.  I buy some software not all If there is a demo of windows sooftware I try it before I buy it if there is no demo I find a hack or a crack and try it that way and I dont always buy windows software some of it is to expensive I agree the developers need to get paid for there work I dont agree about the price tag on alot of it.  Same prices go for linux well I dont know for a fact wouldnt surprise me.

Really people don't like change is all.. the thing about opensource  vs property software if you don't like it  a program that's opensource invent  you're own . You can even build you're own O/S .

 

But people rather be slaves to the system  than accept  change  . NASA had no trouble accepting change all of there computers are Linux. Linux powers the space program meaning some of  the smartest researchers in the world uses  it . When they killed XP  instead of paying M$ NASA changed and installed Linux. So that tells me  its  people don't want to learn nothing new is all.

[Holmes]

I dont mind learning something new and I know open source programs are the sh*t thats why so many users love linux.  In my opinion they didnt kill xp thats like saying valve killed COunter-Strike one point six they have Coounter-Strike Global Offensive now all users say one point six is dead I play it there are alot of servers that use it.  I have friends and customers that use windows xp Its a solid operating system and if used properly without updates cut off users are fine Ill be getting my windows xp hard drive back from my mom next year Im going to continue using it.  Alot of users dont want to accept change I agree some choose to move to something different like linux and some choose to say f*ck it and adapt anyway.
  As for Grubtwo I have heard about grub for a long time and I see this vulnerability affects grubtwo when I bought a laptop off my friend stephanie for fifty dollars it had a partition for linux I believe it was grub I didnt know much about linux and decided to kill the partition and according to that all gnu linux distributions are affected.  I know it doesnt matter now that its patched well it says a few operating systems were patched the rest are in a new version of grubtwo repositories.

[steven36]

This was not a critical  bug no ways it was rated moderate  .  someone had to have physical access to your machine  and hit backspace key 28 times at boot  up , some people don't even use a password at boot up and anyone could log on there machine.

 

 

Quote

But realistically, if someone has physical access to your machine and has access to the boot process I doubt they’d use the grub rescue shell. If it were me I would first try booting from a USB drive and check if local disks are encrypted. If local disks are encrypted then this bug doesn’t give attackers access anyway.

 

They just like to patch anything they find i get security updates all  the time . The press always tries to make a big deal out of nothing really. I use to could get in windows xp through safe mode and delete  you're account  if you forgot you're password to fix it