An inside look at CVE-2020-10713, a.k.a. the GRUB2 “BootHole”

Scrutiny of the GRUB2 source code led to the discovery of the BootHole vulnerability which can be used to boot untrusted operating systems.

In early April 2020, we, the GRUB2 maintainers, were approached by security researchers from Eclypsium. The researchers had discovered an issue with a CVSS Base Score of 8.2 (“High”) in the GRUB2 script parser. This vulnerability could be used to bypass UEFI Secure Boot and to load an unsigned operating system. Our analysis of this vulnerability revealed that fixes were required in multiple layers of the boot time chain of trust. In addition to the GRUB2 fixes, we would also require fixes to the shim layer, the Linux kernel, fwupd and the entire UEFI Secure Boot signing process. OS and hardware vendors would need to revoke the security certificates of older, unpatched programs.