Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Partner Program Sign In

Additional Information Regarding the “BootHole” (GRUB) Vulnerability

Summary: Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled.

This article applies to   This article does not apply to 
Check out resources for

Symptoms

Affected Platform: Dell Client Consumer and Commercial platforms


Problem:

Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled. This could allow the use of a malicious GRUB configuration file (grub.cfg) via physical access to the platform, or OS administrator privileges. This could allow attackers to run malware and alter the boot process, among other malicious actions.


Reference:

Operating System provider’s advisories can be found on the following Dell Security Notice https://www.dell.com/support/article/SLN322283.


Frequently Asked Questions:


Q: Which models are affected?

A: Dell Client and Commercial platforms that have UEFI Secure Boot enabled are impacted. Dell recommends that customers review their Operating System provider’s advisories for further information, including appropriate identification and additional mitigation measures.

Customer should follow security best practices and prevent unauthorized physical access to devices. Customer can also take the following measures to further protect themselves from physical attacks.

  1. Set BIOS Admin Password to prevent alteration of the BIOS Setup configuration, such as the boot device, and Secure Boot mode.
  2. Configure boot settings to only allow booting to the internal boot device.


Q: I use a Windows Operating System. Am I impacted?

A: Yes. Windows Operating Systems are impacted. A malicious actor that has physical access to the platform, or OS administrator privileges, could load a vulnerable GRUB UEFI binary and boot time malware.


Q: What do I need to do to address this vulnerability?

A: There are multiple components that may need to be updated:  

Applicable to Windows and Linux based Operating Systems:.

UEFI Forbidden signatures database (dbx) update

A signed revocation database update has been made available by Microsoft that will prevent systems from booting vulnerable GRUB binaries.

Installing this update will prevent existing vulnerable Linux OS installation and recovery media from booting when UEFI Secure Boot is enabled.

Applicable to Linux Operating Systems:.

GRUB Patch

As part of Linux Operating System vendors’ advisories, they will be rolling out updated GRUB binaries.


Q: I applied the dbx updates and I can no longer boot Linux OS installation media. What do I do?

A: Customers who experience issues after updating dbx can revert the dbx update by doing the following:

  1. Enter BIOS Setup (F2).
  2. Navigate to the Expert Key Management screen.
  3. Enable Custom Mode.
  4. Apply Changes to Save Changes.
  5. Exit BIOS Setup to reboot the system.
  6. Re-enter BIOS Setup (F2).
  7. Navigate to the Expert Key Management screen.
  8. Disable Custom Mode.
  9. Apply Changes to Save Changes.
  10. Exit BIOS Setup to reboot the system


This will revert your factory-default dbx database.

Warning: At this point, your system is no longer patched, and is vulnerable to this disclosure. Please refer to Operating System provider’s advisories for updates.