The password protection feature on Grub2, a popular bootloader for Linux operating systems, can be bypassed simply by pressing the backspace key 28 times.
The vulnerability, discovered by two researchers at the Polytechnic University of Valencia’s (UPV) CyberSecurity Group in Spain, enabled any attacker with physical access to a Linux computer to obtain a Grub rescue shell.
The malicious person only needs to boot the computer from a different operating system to gain the Grub rescue shell, the researchers noted in a blog post. The rescue shell grants elevated privileges to users and can then be used to load malware or to steal and delete data.
The researchers also provided instructions for creating an emergency patch to secure bootloader.