Canonical’a latest Ubuntu Security Notice, it would appear that there’s a zero-day security vulnerability in the GRUB2 (GNU GRand Unified Bootloader) packages, affecting all GNU/Linux distributions running 2.02 Beta.
The security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages, which did not correctly handled the backspace key when the bootloader was configured to use password-protected authentication, thus allowing a local attacker to bypass GRUB’s password protection.
Canonical confirms that the security issue affects all supported Ubuntu Linux operating systems, including Ubuntu 15.10 (Wily Werewolf), Ubuntu 15.04 (Vivid Vervet), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin), as well as their derivatives, urging users to update their GRUB2 packages immediately.
“A vulnerability in GRUB2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer,” said Hector Marco.
All GNU/Linux distributions are affected
All users of GNU/Linux distributions who have GRUB2 installed as the default bootloader and use password protection are urged to update to the latest GRUB2 version available at the moment of writing this article. It currently looks like only a few OSes have received the patched GRUB2 versions, but a new GRUB2 version is now in the testing repositories of Arch Linux.
This zero-day GRUB2 vulnerability has numerous implications, about which you can read in detail on Hector Marco’s comprehensive report, tagged as “Grub2 Authentication Bypass 0-Day” and documented as CVE-2015-8370. Debian GNU/Linux has patched only the Squeeze LTS branch. Red Hat has also managed to patch the GRUB2 packages in the Red Hat Enterprise Linux 7 operating system.