1. News

Linux Distros Used BootHole Vulnerability Patches.. To Destroy the Boot

.

BootHole is a newly discovered security vulnerability that affects Linux systems using UEFI Secure Boot feature. The vulnerability allows full root access once exploited in the host system.

Patches across many different Linux distributions were shipped before the weekend to fix the security issue. However, after applying the patches and rebooting their systems, many users are reporting that they are unable to boot their systems at all.

Various Linux distributions were affected differently by the update due to the nature of their components. Some of them failed only with UEFI Secure Boot systems, where as others failed only with legacy BIOS systems.

1 boothole
BootHole patch issue after reboot, image by Nathaniel Graham who’s reporting the bug on openSUSE Tumbleweed

However, the issue is more critical, because it also affects cloud/DevOps systems such as Hyper-V, Amazon EC2, Microsoft Azure and most virtual machine providers.

The status of the current scene is as follows:

  • Red Hat/CentOS/Fedora: All affected, both UEFI Secure Boot and legacy. Red Hat released an update which fixes the issue, however, they still classify it as “unverified” so more testing is needed to make sure it works. It is worthy to note that Red Hat was the first to catch the issue, but the last to patch it,
  • Ubuntu/Debian: Many users are reporting that the bug only affects the BIOS-powered boot systems, and not these running UEFI Secure boot. However, a fix was released anyway and users can safely upgrade.
  • openSUSE/SUSE: The original patch caused no regression at all for most users. However, some users reported that the update caused a regression for their systems, but that is still yet to be checked. SUSE hasn’t released an update to fix a regression (Didn’t even mention discovering it).
  • Gentoo/Arch: No reports were sent about a regression, users can safely upgrade.

Honestly speaking, this is a major fail for most Linux distributions, because had this happen on Windows, Linux users would have memed Microsoft for years to come about it. A deep look is needed on why no QA team across all Linux distributions was able to catch the issue before releasing the upgrade for the world, especially enterprise distributions like Red Hat.

One can also be more concerned about novice users, who don’t know how to downgrade packages or fix the issue once it happens on their systems.

.
guest
1 Comment
Oldest
Newest
Inline Feedbacks
View all comments
Bill Gates

The important thing is to never blame DevOps. Sure, a turd came out the end of the pipeline that real testing by users would have caught but you still can\’t blame the morons who make me do a terrabyte of needless updates every week.

Your Full Linux Guide

New to Linux and the open source world? We have compiled a huge list of resources to help you go through Linux and its distributions. Visit the full Linux guide page right now.

Privacy & Security Series

Care about digital privacy and security? We have prepared a long series of important articles to secure your online privacy as a Linux and open source user. Visit the Privacy & Security Series right now.

Subscribe for $5

Instead of using your adblocker, join us now on Patreon to unlock a complete ad-free experience + access to private FOSS Post forum where many internals are discussed.

Email Newsletter

.