Palo Alto’s firewall device operating system, PAN-OS, is based on Red Hat Linux, which uses version 2 of the Grand Unified Bootloader (GRUB2). The company signs its GRUB2 bootloader and other components with its certificates, which are stored in the UEFI certificate store to establish a chain of trust.
However, in 2020, researchers from Eclypsium discovered a critical buffer overflow vulnerability in the way GRUB2 parsed the contents of its configuration file, grub.cfg. Designed to be edited by administrators with various boot configuration options, grub.cfg is not digitally signed. But because attackers can now edit grub.cfg to trigger buffer overflows and find arbitrary code execution inside the bootloader, they have a way to defeat Secure Boot and execute malicious code during boot time. This vulnerability, tracked as CVE-2020-10713, was called BootHole.
At the time, Palo Alto Networks published an advisory about the impact of BootHole on its devices, stating that “this vulnerability is only exploitable when an attacker has already compromised the PAN-OS software and gained Linux root privileges on the system,” noting that “this it is not possible under normal circumstances.”
Source link