Additional Information Regarding the "BootHole" (GRUB) Vulnerability

摘要: Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled.

本文章適用於 本文章不適用於 本文無關於任何特定產品。 本文未識別所有產品版本。
查看其他資源

症狀

Affected Platform: Dell Client Consumer and Commercial platforms


Problem:

Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled. This could allow the use of a malicious GRUB configuration file (grub.cfg) using a physical access to the platform, or OS administrator privileges. This could allow attackers to run malware and alter the boot process, among other malicious actions.


Reference:

Operating System provider’s advisories can be found on the following Dell Security Notice https://www.dell.com/support/article/SLN322283.


Frequently Asked Questions:


Q: Which models are affected?

A: Dell Client and Commercial platforms that have UEFI Secure Boot enabled are impacted. Dell Technologies recommends that customers review their Operating System provider’s advisories for more information, including appropriate identification and additional mitigation measures.

Customer should follow security best practices and prevent unauthorized physical access to devices. Customer can also take the following measures to further protect themselves from physical attacks.

  1. Set BIOS Admin Password to prevent alteration of the BIOS Setup configuration, such as the boot device, and Secure Boot mode.
  2. Configure boot settings to only allow booting to the internal boot device.


Q: I use a Windows Operating System. Am I impacted?

A: Yes. Windows Operating Systems are impacted. A malicious actor that has physical access to the platform, or OS administrator privileges, could load a vulnerable GRUB UEFI binary and boot time malware.


Q: What do I must do to address this vulnerability?

A: There are multiple components that may need to be updated:  

Applicable to Windows and Linux based Operating Systems:

UEFI Forbidden signatures databases (dbx) update

A signed revocation database update has been made available by Microsoft that prevents systems from booting vulnerable GRUB binaries.

Installing this update prevents existing vulnerable Linux OS installation and recovery media from booting when UEFI Secure Boot is enabled.

Applicable to Linux Operating Systems:

GRUB Patch

As part of Linux Operating System vendors' advisories, they are rolling out updated GRUB binaries.


Q: I applied the dbx updates, and I can no longer boot Linux OS installation media. What do I do?

A: Customers who experience issues after updating dbx can revert to the dbx update by doing the following:

  1. Enter BIOS Setup (F2).
  2. Navigate to the Expert Key Management screen.
  3. Enable Custom Mode.
  4. Apply Changes to Save Changes.
  5. Exit BIOS Setup to reboot the system.
  6. Re-enter BIOS Setup (F2).
  7. Navigate to the Expert Key Management screen.
  8. Disable Custom Mode.
  9. Apply Changes to Save Changes.
  10. Exit BIOS Setup to reboot the system


This reverts to your factory-default dbx database.

Warning: Your system is no longer patched, and is vulnerable to this disclosure. Please refer to Operating System provider’s advisories for updates.

原因

N/A

解析度

N/A

文章屬性
文章編號: 000131748
文章類型: Solution
上次修改時間: 21 8月 2025
版本:  5
向其他 Dell 使用者尋求您問題的答案
支援服務
檢查您的裝置是否在支援服務的涵蓋範圍內。