Palo Alto Networks firewalls have UEFI flaws, Secure Boot bypasses

Palo Alto’s firewall device operating system, PAN-OS, is based on Red Hat Linux, which uses Grand Unified Bootloader version 2 (GRUB2). The company signs its GRUB2 bootloader and other components with its own certificates, which are stored in the UEFI certificate store to establish the chain of trust.

However, in 2020, researchers from Eclypsium found a critical buffer overflow vulnerability in the way GRUB2 parsed content from its configuration file, grub.cfg. Designed to be edited by administrators with various boot configuration options, grub.cfg is not digitally signed. But because attackers could now edit grub.cfg to trigger a buffer overflow and achieve arbitrary code execution inside the bootloader, they had a way to defeat Secure Boot and execute malicious code during boot time. This vulnerability, tracked as CVE-2020-10713, was dubbed BootHole.

At the time, Palo Alto Networks published an advisory about BootHole’s impact on its devices, saying that “this vulnerability is exploitable only when an attacker already compromised the PAN-OS software and gained root Linux privileges on the system,” noting that “this is not possible under normal conditions.”