Additional Information Regarding the "BootHole" (GRUB) Vulnerability

요약: Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled.

이 문서는 다음에 적용됩니다. 이 문서는 다음에 적용되지 않습니다. 이 문서는 특정 제품과 관련이 없습니다. 모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
기타 리소스 확인

증상

Affected Platform: Dell Client Consumer and Commercial platforms


Problem:

Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled. This could allow the use of a malicious GRUB configuration file (grub.cfg) using a physical access to the platform, or OS administrator privileges. This could allow attackers to run malware and alter the boot process, among other malicious actions.


Reference:

Operating System provider’s advisories can be found on the following Dell Security Notice https://www.dell.com/support/article/SLN322283.


Frequently Asked Questions:


Q: Which models are affected?

A: Dell Client and Commercial platforms that have UEFI Secure Boot enabled are impacted. Dell Technologies recommends that customers review their Operating System provider’s advisories for more information, including appropriate identification and additional mitigation measures.

Customer should follow security best practices and prevent unauthorized physical access to devices. Customer can also take the following measures to further protect themselves from physical attacks.

  1. Set BIOS Admin Password to prevent alteration of the BIOS Setup configuration, such as the boot device, and Secure Boot mode.
  2. Configure boot settings to only allow booting to the internal boot device.


Q: I use a Windows Operating System. Am I impacted?

A: Yes. Windows Operating Systems are impacted. A malicious actor that has physical access to the platform, or OS administrator privileges, could load a vulnerable GRUB UEFI binary and boot time malware.


Q: What do I must do to address this vulnerability?

A: There are multiple components that may need to be updated:  

Applicable to Windows and Linux based Operating Systems:

UEFI Forbidden signatures databases (dbx) update

A signed revocation database update has been made available by Microsoft that prevents systems from booting vulnerable GRUB binaries.

Installing this update prevents existing vulnerable Linux OS installation and recovery media from booting when UEFI Secure Boot is enabled.

Applicable to Linux Operating Systems:

GRUB Patch

As part of Linux Operating System vendors' advisories, they are rolling out updated GRUB binaries.


Q: I applied the dbx updates, and I can no longer boot Linux OS installation media. What do I do?

A: Customers who experience issues after updating dbx can revert to the dbx update by doing the following:

  1. Enter BIOS Setup (F2).
  2. Navigate to the Expert Key Management screen.
  3. Enable Custom Mode.
  4. Apply Changes to Save Changes.
  5. Exit BIOS Setup to reboot the system.
  6. Re-enter BIOS Setup (F2).
  7. Navigate to the Expert Key Management screen.
  8. Disable Custom Mode.
  9. Apply Changes to Save Changes.
  10. Exit BIOS Setup to reboot the system


This reverts to your factory-default dbx database.

Warning: Your system is no longer patched, and is vulnerable to this disclosure. Please refer to Operating System provider’s advisories for updates.

원인

N/A

해결

N/A

문서 속성
문서 번호: 000131748
문서 유형: Solution
마지막 수정 시간: 21 8월 2025
버전:  5
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.