Red Hat Enterprise Linux runs into Boothole patch trouble

Emotional, Burning, Unlimited Tuned Laboratory

Red Hat’s fix for the Boothole security hole has stopped some users’ systems from booting.

Sometimes the cure really is worse than the disease. The recently revealed Boothole security problem with GRUB2 and Secure Boot can, theoretically, be used to attack Linux systems. In practice, the only vulnerable Linux systems are ones that have already been successfully breached by an attacker. Still, the potential for damage was there, so almost all enterprise Linux distributors have released patches. Unfortunately, for at least one — Red Hat — the fix has gone wrong.

Many users are reporting that, after patching Red Hat Enterprise Linux (RHEL) 8.2, it has rendered their systems unbootable. The problem also appears to affect RHEL 7.x and 8.x computers as well. It seems, however, to be limited only to servers running on bare iron. RHEL virtual machines (VM)s, which don’t deal with Secure Boot firmware, are working fine.

RHEL isn’t the only Linux with this problem: CentOS 7.x and 8.x users are also reporting trouble. There have been sporadic reports of Boothole boot problems with other Linux distros, too.

A repair is on its way.  Peter Allor, director of Red Hat’s Product Security Incident Response Team, told me:

“Red Hat has been made aware of a potential issue with the fix for CVE-2020-10713, also known as Bootjole, whereby some Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8 systems may not successfully reboot after the remediation is applied, requiring manual intervention to fix. We are currently investigating this issue and will provide more information as it becomes available.”

Other Red Hat employees say the fix to the fix will be on its way shortly. So, if you haven’t patched yet, hold off. If you have, and you’re having trouble, help is on its way.