Skip to main content
Contact Us

Dell EMC PowerEdge Servers: Additional Information Regarding the GRUB2 Vulnerability – “BootHole”

Summary: A group of disclosed vulnerabilities in GRUB (Grand Unified Bootloader), known as "BootHole", can allow for Secure Boot bypass.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Security Article Type

Security KB

CVE Identifier

N/A

Issue Summary

Affected Platforms: 
Dell EMC PowerEdge Servers that have UEFI Secure Boot Enabled

Details

As referenced in Dell Security Notice Dell response to Grub2 vulnerabilities which may allow secure boot bypass a group of disclosed vulnerabilities in GRUB (Grand Unified Bootloader), known as "BootHole", can allow for Secure Boot bypass.

The Secure Boot feature is supported on 13G and newer PowerEdge Servers when using an operating system (OS) which also supports this feature. You can view the list of PowerEdge OS Support Matrices here.


Windows:

Windows Operating Systems are impacted as an attacker with physical access to the platform, or OS administrator privileges, could load a vulnerable GRUB UEFI binary.

Customers running Windows on their PowerEdge Servers should refer to Microsoft’s guidance at Microsoft https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011


Linux:

To verify the Secure Boot status of your system, use the following OS command:


UEFI Boot is disabled; Secure Boot is disabled:

# mokutil --sb-state

EFI variables are not supported on this system

 


UEFI Boot is enabled; Secure Boot is disabled:

# mokutil --sb-state

SecureBoot disabled

 


Secure Boot is enabled:

# mokutil --sb-state

SecureBoot enabled

 

 

Recommendations

Linux distributions supported by Dell EMC PowerEdge Servers – Red Hat Enterprise Linux, SuSE Enterprise Linux and Ubuntu - have released updated packages containing remediation for the CVEs cited above.

We encourage you to follow the published recommendations of the Linux distribution vendors to update the affected packages, in the proper order, to the latest versions supplied by the Linux distribution vendor.

If Secure Boot fails after applying the Linux distribution vendor’s updates, use one of the following options to recover:

  • Boot to a rescue DVD and attempt to reinstall the previous version of shim, grub2 and kernel.
  • Reset the BIOS dbx database to the factory default value and remove any dbx applied updates (either from OS vendor or other means) using the following procedure:
    1. Enter BIOS Setup (F2) 
    2. Select "System Security" 
    3. Set "Secure Boot Policy" to "Custom" 
    4. Select "Secure Boot Custom Policy Settings" 
    5. Select "Forbidden Signature Database (dbx)" 
    6. Select "Restore Default Forbidden Signature Database" -> "Yes" -> "OK" 
    7. Set "Secure Boot Policy" to "Standard" 
    8. Save and exit 


Warning: Once your dbx database has been reset to the factory default, your system is no longer patched, and is vulnerable to these, and any other vulnerabilities, remediated in later updates.

 

Related Linux distribution vendor advisories

Legal Disclaimer

Affected Products

Datacenter Scalable Solutions, PowerEdge, Microsoft Windows 2008 Server R2, SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12, Red Hat Enterprise Linux Version 6, Red Hat Enterprise Linux Version 7, Red Hat Enterprise Linux Version 8 , SUSE Linux Enterprise Server 15 ...
Article Properties
Article Number: 000177294
Article Type: Security KB
Last Modified: 21 Feb 2021
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.