How to patch CentOS against BootHole

If you have CentOS servers in your data center, you’ll want to make sure to patch them against BootHole. Jack Wallen shows you how.

Binary code, password vulnerability taking out with tweezers, selective focus

Image: MyImages_Micha, Getty Images/iStockphoto

By now you’ve probably read about BootHole. If not, it’s a fairly insipid vulnerability that can render those Linux servers unbootable. So anyone with a data center filled with Linux machines should probably be concerned about this particular flaw. 

BootHole leverages a vulnerability in both GRUB2 and Secure Boot. To make BootHole a bit more daunting, it’s actually a really easy hack to pull off. The only thing blocking ne’er do wells from making it happen is having remote access to the server. Once inside, however, all an attacker would have to do is edit the grub.cfg file in such a way as to pass a token too large for the flex parse buffer. And because grub.cfg isn’t signed, changes to the file aren’t checked.

When this happens, your Linux server won’t boot. 

Of course, because this is open source, the patches came within a few days of the BootHole discovery. Those patches come in the form of shim files that can be applied. Thing is, you can run a system update and the shims might not get picked up. I ran two different updates on two different CentOS machines (7 and 8) and neither updated the necessary packages.

You can, however, take care of this manually. Let me show you how.

SEE: 10 things companies are keeping in their own data centers (TechRepublic download)

What you’ll need

The only things you’ll need to make this happen are a running instance of CentOS and a user with sudo privileges. Any machine running a version of GRUB2 older than version 2.06 is affected. To find out what version of GRUB2 you are running, open a terminal window and issue the command:

sudo yum info grub2-common

If you see Version 2.02 or earlier, your machine is vulnerable.

Let’s patch it.

How to patch CentOS against BootHole

I’ll show you the commands for patching against BootHole for both CentOS 7 and 8. Believe it or not, all you have to do is install a single package on your machine. Of course, since we are logged in, you might as well do an upgrade first.

To upgrade CentOS, open a terminal window and issue the command:

sudo dnf update

Check to see if the kernel is going to be upgraded. If so, know that you’ll need to reboot for the changes to take effect. Because of that, you might want to hold off on the update until a time when a reboot is possible. 

Even if you skip the update, you can still run the patch commands.

To patch CentOS 7, you would issue the command:

sudo dnf install shim-x64-15-8.el7_8 -y

To patch CentOS 8, the command would be:

sudo dnf install shim-x64-15-15.el8_2 -y

That’s it. With two commands your CentOS data center server is patched against the BootHole vulnerability. Do make sure, however, to regularly update your Linux machines. You might think they are impenetrable, but they aren’t. 

A good way of looking at this is, if a machine is connected to the network, it’s vulnerable–regardless of the operating system. Keep your systems always up-to-date and you’re one step ahead (or at least on pace) of attackers.

Also see