The report comes from security researchers Hector Marco and Ismael Ripoll, at a Polytechnic University Cybersecurity Group in Valencia, Spain. Upon backspacing exactly 28 times, the pair discovered that all authentication systems can be easily overridden. The bug affects every distribution of Linux using Grub2, the bootloader found in “most Linux systems,” the researchers wrote in their published results.
Assuming the system is in fact susceptible to the bug, anyone with the right know-how could access the system’s “Grub rescue shell,” which, with just a few keystrokes, can give them unhindered access to any and all data found on the PC. Of course, with malicious intentions, a person could seamlessly install persistent malware, allowing them to sabotage what’s rightfully yours.
“The number of backspaces hit was the only input controllable by the user to cause different manifestations of the error,” the researchers declared.
Experts agree that this bug is an alarming security oversight for the bootloader developers.
“It is irresponsible for grub to lack decades-old exploit mitigations like stack cookies that could have addressed this issue,” Trail of Bits founder Dan Guido pointed out.
On the bright side, Marco and Ripoll have worked together to come up with a solution for the bug in question. It’s a simple patch compatible with Ubuntu, Red Hat, and Debian distributions. Your best bet would be to install it quickly before letting anyone untrustworthy get ahold of your machine.
