Major high-tech firms, like Microsoft, HP, and VMware, are warning about a high-severity bug called BootHole. The flaw affects the GRUB2 bootloader used by most Linux systems and Windows devices using the UEFI Secure Boot. An attacker could exploit the bug to launch an arbitrary code execution attack and take control of the operating system's booting process. Eclypsium researchers who discovered the flaw also warned that it could impact more than a billion devices.
- HP said that many of its PCs and other devices are vulnerable to the bug and that it is providing a SoftPaq to update the UEFI FW dbx.
- Microsoft said the BootHole bug affects Windows 10, 8.1, Server 2012, Server 2016, Server 2019, and Server versions 1903, 1909, and 2004. The company recommends users change their UEFI settings until a security update is available.
- Red Hat said that the bug affects Red Hat Enterprise Linux 7 and 8, Atomic Host, and the OpenShift Container Platform 4 (RHEL CoreOS). The company advises users to update kernel, fwupdate, fwupd, shim, and dbxtool packages containing newly validated keys and certificates.
- VMware said that BootHole bug impacts Photo OS when configured with Secure Boot and that it would be issuing a security update soon.