1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hope this is old news GRUB2 28x Backspace bug

Discussion in 'General Linux Discussion' started by cloasters, Dec 23, 2015.

  1. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    7,835
    Likes Received:
    82
    Trophy Points:
    48
    Sorry if this is old news, if so I beg your pardon. On 16 Dec '15 "Motherboard.vice.com reported a GRUB2 bug that lets anyone with physical access to your machine simply hit "Backspace" 28 times, and presto they are in to your box. The bug has patches from Ubuntu, Red Hat and Debian. Apologies if this is ancient history or incorrect information.
  2. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,146
    Likes Received:
    135
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    A fundamental tenet of system security is that if the bad buys have physical access to your box, all bets are off. However, the problem with this particular bug is that it can also be exploited if you happen to have remote access via a serial console or lights out management (LOM) card which gives you access to the console at startup. It's quite common in enterprise environments for servers to have LOM cards, so the bug could be exploited via such a mechanism. However, LOM cards typically also provide the ability to mount remote media and manage the hardware of the system; in other words, it's almost as good as physical access to the box, and still way more than enough to compromise the system even if this bug didn't exist.

    In short, the bug is definitely something that needs to be fixed, but the only practical way to exploit it by the bad guys would mean that they already have more than enough other (and better) ways to compromise the system that it really wouldn't matter.
  3. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    7,835
    Likes Received:
    82
    Trophy Points:
    48
    Merry Christmas to everyone at Gamers on Linux!
    If I'm lucky I learn something every day. Thank you for your post, Gizmo. I'll try to never buy a LOM card!
  4. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    8,153
    Likes Received:
    595
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    I read about this as well. Hopefully it will be patched in a new kernel, but unfortunately Mint uses older kernels for compatibility.

    Merry Christmas to you all as well!
  5. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,146
    Likes Received:
    135
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    All of the servers I manage at work have LOM cards; either Dell DRAC/iDRAC cards or HP iLO cards or Intel RMM cards. However, they are all protected by a firewall that is only accessible via a VPN, and really heinous passwords.

    In short, like any other tool, one needs to understand how to use it.

    Oh, and Merry Christmas! :)
  6. cloasters

    cloasters Moderator

    Joined:
    Jul 3, 2013
    Messages:
    7,835
    Likes Received:
    82
    Trophy Points:
    48
    Really difficult passwords sure help. Candidly, I seriously doubt that I'll ever need a LOM card! Happy Holidays, Best of Kwanzaas and Merry Christmas to all!

Share This Page