In association with heise online

10 November 2009, 13:51

Password hole in GRUB boot loader closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The new version of the GNU GRUB boot loader, 1.97.1, closes a security hole in the previous version, 1.97, which allowed passwords be easily circumvented. The password protection is available in GRUB to prevent unauthorised modification of the boot parameters. A programming error in the feature lead to passwords being accepted as valid even if only the first character of the entered password was correct.

GRUB 1.97, also known as GRUB 2, has support for simple user authentication in its new config file format. The passwords do, though, need to be stored as readable clear text. Various Linux distributions are now being shipped with GRUB 2, including Debian "sid" and the recently released Ubuntu 9.10.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit