Physically present hackers can effectively bypass secure boot protections on modern Linux Systems and inject persistent malware. The quick fix is to modify the kernel and prevent the system from dropping into a debug shell during boot failures.
Fully encrypted disks, secure boot, and password-protected bootloaders won’t protect Linux from hackers with physical access to the system.
Alexander Moch, a security researcher at ERNW, has unveiled a serious vulnerability affecting modern Linux distributions, such as Ubuntu and Fedora.
The boot security measures overlook “a subtle but serious attack vector:” attackers can drop malicious commands into a debug shell that pops up after multiple boot failures. They can abuse the shell via the Initial RAM Filesystem (initramfs), which is temporarily used by the kernel during boot to access drivers and other files to load the OS.
Attackers would only need brief physical access to bypass boot protections and inject persistent malware into systems.
“For many popular Linux distributions, the debug shell can be reliably triggered if an incorrect password for the encrypted root partition is entered multiple times,” Moch explains.
“From there, an attacker can modify the initramfs and inject malicious hooks that are executed the next time the victim boots and unlocks the system.”
Secure boot only checks kernel image and modules contained within the system if they’re signed, and modifying initramfs itself remains possible. Therefore, attackers can simply unpack the initramfs, add malicious scripts, and repack it without altering any checked signatures.
The attacker would need to prepare a USB drive with the necessary tools. The researcher demonstrated the attack working on Ubuntu 25.04 and Fedora 42 with encrypted root partitions and default settings. Debug shells are present on other Linux distributions, too.
For example, on Ubuntu, the attacker would hit ESC when prompted for the password and press the CTRL+C combination three times in a row. After a 30-second timeout, a repeated password prompt would have to be rejected, followed by pressing CTRL+C six times to get to a debug shell.
The shell would enable the attacker to create a directory, mount an external root partition from the USB drive, and run the prepared scripts.
How to close the open loophole?
According to the ERNW researcher, the attacks can be easily mitigated by implementing a few changes.
“The simplest mitigation is to modify the kernel command-line parameters: add panic=0 for Ubuntu-based systems, and rd.shell=0 rd.emergency=halt for Red Hat-based systems. This causes the system to halt instead of dropping to a debug shell,” the researcher recommends.
Similarly, the bootloader can be configured to require a password for booting the system, rather than requiring a password only when modifying bootloader entries.
“Even better, the SSD’s native encryption could be enabled. One could also consider encrypting the boot partition with LUKS,” the advisory reads.
The researcher hopes that the annoying effort to combine the kernel and initramfs into one monolithic signed binary will help prevent similar attacks in the future.
“Mitigations are simple and effective, such as adjusting kernel parameters, restricting boot access, or using full boot partition encryption. Yet these are often missing from standard hardening guides, benchmarks, and tooling.”
Your email address will not be published. Required fields are markedmarked