A newly discovered vulnerability makes it incredibly easy to break into a large pool of Linux-based computers. A security hole found in Grub2, a widely-used bootloader in many Linux distributions including Ubuntu and Red Hat, allows a user to login to a computer by pressing the backspace key 28 times. Various Linux distributions have released a patch for the vulnerability.
Hector Marco and Ismael Ripoll, two security researchers from the Cyber-security Group at the Polytechnic University of Valencia (UPV), have found that it is possible to bypass any kind of authentication on a Linux system by hitting the backspace key 28 times. Once users log in, they can take complete control of the computer. The researchers said Grub2 is the "bootloader used by most Linux systems including some embedded systems. This results in an incalculable number of affected devices," the researchers wrote in a blog post.
As per the researchers, the vulnerability can be exploited to obtain something called a "Grub rescue shell" which can, in turn, allow a user to load a customised kernel, and run arbitrary programs. The attacker could also destroy any data including the Grub itself.
The security hole stems from a simple integer underflow fault that was introduced to Grub2 in late 2009. Linux users can assess whether their computer is vulnerable by entering the backspace 28 times. Ubuntu, Red Hat, and Debian all have released patches to fix the vulnerability, though if your choice of Linux is still not covered, Marco and Ripoll have made available an emergency patch.