Is Grub2 vunerable? (Solved!)

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
prcoy
Level 1
Level 1
Posts: 1
Joined: Thu Apr 11, 2013 10:47 pm

Is Grub2 vunerable? (Solved!)

Post by prcoy »

I've been reading about a "backspace" vulnerability on grub2 ver 2.02~beta2 on Debian/Ubuntu/RedHat systems.

http://lifehacker.com/you-can-break-int ... 1748370796

My Mint 17.2 Grub reads: "GNU Grub version 2.02~beta2-9ubuntu1.5" I was just wondering what the official word was here.
Maybe I'll just hit backspace 28 times and see what happens. Apparently this bug only affects local keyboard input so shouldn’t affect us basement dwellers. :lol:
Last edited by prcoy on Fri Dec 18, 2015 9:40 am, edited 1 time in total.

User avatar
xenopeek
Level 24
Level 24
Posts: 24263
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Is Grub2 vunerable?

Post by xenopeek »

And they link you to the USN (Ubuntu Security Notice): http://www.ubuntu.com/usn/usn-2836-1/. It's fixed as follows:
  • Linux Mint 13: grub2-common version 1.99-21ubuntu3.19
    Linux Mint 17.x: grub2-common version 2.02~beta2-9ubuntu1.6
You can review the changelog for the latter by search for that package on http://packages.ubuntu.com/. For example for Trusty (Ubuntu 14.04; the package base for Linux Mint 17.x): http://changelogs.ubuntu.com/changelogs ... /changelog

That said, don't depend on a bootloader password as physical protection of your computer. Those wishing to access your files could just boot from a DVD or USB thumb drive to do so, or if that is locked down (and BIOS reset is not an option) could just remove your hard disk and attach it to another computer to access your files that way. For physical protection you'd use full disk encryption. Being able to access the GRUB rescue shell doesn't weaken that.
Image

cecilieaux
Level 5
Level 5
Posts: 565
Joined: Mon Dec 09, 2013 9:43 am
Location: Washington, D.C.

Re: Is Grub2 vunerable?

Post by cecilieaux »

xenopeek wrote:And they link you to the USN (Ubuntu Security Notice): http://www.ubuntu.com/usn/usn-2836-1/. It's fixed as follows:
  • Linux Mint 13: grub2-common version 1.99-21ubuntu3.19
    Linux Mint 17.x: grub2-common version 2.02~beta2-9ubuntu1.6
You can review the changelog for the latter by search for that package on http://packages.ubuntu.com/. For example for Trusty (Ubuntu 14.04; the package base for Linux Mint 17.x): http://changelogs.ubuntu.com/changelogs ... /changelog

That said, don't depend on a bootloader password as physical protection of your computer.
Just to be clear (I didn't even know GRUB had a password):

I have
grub-install.real (GRUB) 2.02~beta2-9ubuntu1.3
Update Manager is offering as a Level 5 update
grub2 (2.02~beta2-9ubuntu1.6) trusty-security; urgency=medium
However, I have read that Canonical found a zero-day vulnerability in GRUB2 (see http://linuxg.net/canonical-has-discove ... u-systems/). They suggest updating and upgrading in the Terminal via

Code: Select all

$ sudo apt-get update
$ sudo apt-get upgrade
What's a plain user to do?
Every time I think I'm past newbiedom something like this happens.
Linux Mint 19.2 Tina 64-bit

User avatar
xenopeek
Level 24
Level 24
Posts: 24263
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Is Grub2 vunerable?

Post by xenopeek »

This is a good example of security vs stability choice that you as a user have on Linux Mint that you don't have on Ubuntu. On Linux Mint you use Update Manager to update your system. You can select which updates to apply and don't have to blindly install all updates as the Ubuntu instructions would have you do. The more riskier updates—those that can leave you with an unusable system and would require more experience with Linux command line and rescue mode to fix—are marked as level 4 and 5 in Update Manager. You should generally only apply those if you know you need them to fix a problem you have, or you know how to fix it when the update causes a problem for you :wink:

Another reason this one is a good example is because in the real world almost nobody would use the GRUB password option. It's not an effective way to protect your files from those with physical access to your computer. Anybody could access your files by just booting another operating system (from DVD or USB) or attaching your hard disk to another computer. The GRUB password only protects GRUB and nothing else. To protect your files you'd use full disk encryption or home directory encryption (the former is recommended), both of which are options in the Linux Mint installer. Setting a GRUB password isn't in the Linux Mint installer for good reason—it doesn't protect your files in any way.

In short this GRUB vulnerability doesn't affect Linux Mint users unless for some reason they themselves have set up GRUB with a password and that is the only security they depend on to protect their files from those with physical access (and then again, it doesn't actually protect those files—regardless of patching the issue in GRUB).
Image

borgward
Level 5
Level 5
Posts: 729
Joined: Mon Dec 17, 2012 10:18 pm

Backspace Hack

Post by borgward »

I read about the Hack Into a Linux Computer by Hitting the Backspace 28 Times yesterday. I tried it. It did not work. Looks like the security hole was already patched. Thank you Update Manager. I frequently read about Linux security holes. It has always been my experience that they have been patched before they have been reported in the news.

cecilieaux
Level 5
Level 5
Posts: 565
Joined: Mon Dec 09, 2013 9:43 am
Location: Washington, D.C.

Re: Is Grub2 vunerable?

Post by cecilieaux »

xenopeek wrote:This is a good example of security vs stability choice that you as a user have on Linux Mint that you don't have on Ubuntu.
So, the GRUB update is not strictly necessary?

Is it unsafe?

Sorry, I'm a real doorknob about these things. I love Linux (and Mint in particular), but I have a LOT to learn.
Every time I think I'm past newbiedom something like this happens.
Linux Mint 19.2 Tina 64-bit

User avatar
xenopeek
Level 24
Level 24
Posts: 24263
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Is Grub2 vunerable? (Solved!)

Post by xenopeek »

Do you have to type a password during boot to access the GRUB menu? If no then this bug doesn't affect you.
Image

BoDill
Level 4
Level 4
Posts: 391
Joined: Thu Apr 10, 2014 4:31 pm
Location: Cortland, NY

Unsecure login

Post by BoDill »

Hello,

After searching the forum unsuccessfully for some reference to the "Log in" article below, I thought I should ask if we are safe. Actually, I don't understand exactly what it means, but the question is, "Should I worry about it?".

http://www.engadget.com/2015/12/18/log- ... -28-times/

Thanks in advance,
BoDill
Last edited by xenopeek on Sun Dec 20, 2015 3:09 am, edited 1 time in total.
Reason: same topic; merged here
Desktop: OptiPlex-790 Kernel: 4.15.0-46-generic x86_64 bits: 64, Desktop: MATE 1.20.1 Distro; Linux Mint 19.1 Tessa
Laptop: Dell Latitude E6420; Linux Mint 19.1 Tessa

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: Is Grub2 vunerable? (Solved!)

Post by Cosmo. »

What in the article has not been covered in this thread?

Do you use grub-password? Read the post by xenopeek immediately above yours.

Post Reply

Return to “Installation & Boot”