Failed to open \EFI\centos\grubx64.efi - Not Found

Support for security such as Firewalls and securing linux
enseva
Posts: 25
Joined: 2018/09/29 18:30:50

Failed to open \EFI\centos\grubx64.efi - Not Found

Post by enseva » 2018/09/29 18:38:08

As of this morning, after creating a number of VMs using CentOS 7, then running yum update, I found that my VM would no longer load due to a corrupt or missing EFI file or folder.

After Googling this a number of different ways, the results I was getting were filled with links to sites that are obviously malicious/a compromised sites (linking to suspicious PHP files, etc).

As an example, attempt to Google "yum update breaks efi" and restrict the search to the last 24hrs.

You will find links for the following - INTENTIONALLY DISABLED LINKS DUE TO BEING MALICIOUS - this is highly suspect.

Links removed by a moderator.


User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: I believe CentOS repos have been compromised

Post by TrevorH » 2018/09/29 19:26:42

Just because google returns a bunch of malicious links to a search done by you does not mean that our repos have been compromised. The same search done here doesn't return those links. I am going to remove those links from your post as there's no point in having pointers to known malicious content even when it's obscured.

There was a recent update to the "shim" packages that are used for secure boot. It's much more likely that your machine has applied that and something about your configuration has broken as a result. All CentOS packages are GPG signed and unless you've done something stupid like disable GPG checking for the base and updates repos then any compromised package would need to have been signed by the official CentOS 7 signing key.

What sort of VM is this? When was it created and what leads you to believe that there is a corrupt or missing EFI file? What file is missing?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

enseva
Posts: 25
Joined: 2018/09/29 18:30:50

Re: I believe CentOS repos have been compromised

Post by enseva » 2018/09/29 19:31:50

TrevorH wrote:
2018/09/29 19:26:42
Just because google returns a bunch of malicious links to a search done by you does not mean that our repos have been compromised. The same search done here doesn't return those links. I am going to remove those links from your post as there's no point in having pointers to known malicious content even when it's obscured.

There was a recent update to the "shim" packages that are used for secure boot. It's much more likely that your machine has applied that and something about your configuration has broken as a result. All CentOS packages are GPG signed and unless you've done something stupid like disable GPG checking for the base and updates repos then any compromised package would need to have been signed by the official CentOS 7 signing key.

What sort of VM is this? When was it created and what leads you to believe that there is a corrupt or missing EFI file? What file is missing?
It's a VM in a Hyper-V environment and what leads me to believe it's missing is due to the error on console (since I can't connect anymore) saying it's missing.

We don't use secure boot on these VMs, though. Is that somehow a new requirement with the "shim" packages you're referring to?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: I believe CentOS repos have been compromised

Post by TrevorH » 2018/09/29 19:32:48

Please look at /var/log/yum.log on your machine and see which packages have been recently updated. Post that list here so we can see them.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

enseva
Posts: 25
Joined: 2018/09/29 18:30:50

Re: I believe CentOS repos have been compromised

Post by enseva » 2018/09/29 19:34:17

TrevorH wrote:
2018/09/29 19:32:48
Please look at /var/log/yum.log on your machine and see which packages have been recently updated. Post that list here so we can see them.
How exactly would I do that on a machine I can't connect to? The grub efi error is on Hyper-V console. You can't even get to a prompt because the machine isn't booting.

If there's a way for me to avoid these shims you're referring to, I can try creating a new machine with that; I've never had this occur on a previous VM.

enseva
Posts: 25
Joined: 2018/09/29 18:30:50

Re: I believe CentOS repos have been compromised

Post by enseva » 2018/09/29 19:36:08

TrevorH wrote:
2018/09/29 19:32:48
Please look at /var/log/yum.log on your machine and see which packages have been recently updated. Post that list here so we can see them.
Also the most likely culprit in what was recently updated was a kernel update. As this was a new machine from an template (using a base 1804 iso) it needed about ~300 updates.

Luckily I didn't close the terminal window so I have this from history:

NetworkManager.x86_64 1:1.10.2-16.el7_5 NetworkManager-libnm.x86_64 1:1.10.2-16.el7_5
NetworkManager-team.x86_64 1:1.10.2-16.el7_5 NetworkManager-tui.x86_64 1:1.10.2-16.el7_5
NetworkManager-wifi.x86_64 1:1.10.2-16.el7_5 acl.x86_64 0:2.2.51-14.el7
alsa-lib.x86_64 0:1.1.4.1-2.el7 audit.x86_64 0:2.8.1-3.el7_5.1
audit-libs.x86_64 0:2.8.1-3.el7_5.1 bash.x86_64 0:4.2.46-30.el7
bind-libs-lite.x86_64 32:9.9.4-61.el7_5.1 bind-license.noarch 32:9.9.4-61.el7_5.1
binutils.x86_64 0:2.27-28.base.el7_5.1 biosdevname.x86_64 0:0.7.3-1.el7
ca-certificates.noarch 0:2018.2.22-70.0.el7_5 centos-release.x86_64 0:7-5.1804.4.el7.centos
coreutils.x86_64 0:8.22-21.el7 cpio.x86_64 0:2.11-27.el7
cronie.x86_64 0:1.4.11-19.el7 cronie-anacron.x86_64 0:1.4.11-19.el7
cryptsetup-libs.x86_64 0:1.7.4-4.el7 curl.x86_64 0:7.29.0-46.el7
cyrus-sasl-lib.x86_64 0:2.1.26-23.el7 dbus.x86_64 1:1.10.24-7.el7
dbus-libs.x86_64 1:1.10.24-7.el7 device-mapper.x86_64 7:1.02.146-4.el7
device-mapper-event.x86_64 7:1.02.146-4.el7 device-mapper-event-libs.x86_64 7:1.02.146-4.el7
device-mapper-libs.x86_64 7:1.02.146-4.el7 device-mapper-persistent-data.x86_64 0:0.7.3-3.el7
dhclient.x86_64 12:4.2.5-68.el7.centos.1 dhcp-common.x86_64 12:4.2.5-68.el7.centos.1
dhcp-libs.x86_64 12:4.2.5-68.el7.centos.1 dracut.x86_64 0:033-535.el7_5.1
dracut-config-rescue.x86_64 0:033-535.el7_5.1 dracut-network.x86_64 0:033-535.el7_5.1
e2fsprogs.x86_64 0:1.42.9-12.el7_5 e2fsprogs-libs.x86_64 0:1.42.9-12.el7_5
ebtables.x86_64 0:2.0.10-16.el7 elfutils-default-yama-scope.noarch 0:0.170-4.el7
elfutils-libelf.x86_64 0:0.170-4.el7 elfutils-libs.x86_64 0:0.170-4.el7
ethtool.x86_64 2:4.8-7.el7 filesystem.x86_64 0:3.2-25.el7
firewalld.noarch 0:0.4.4.4-15.el7_5 firewalld-filesystem.noarch 0:0.4.4.4-15.el7_5
glib2.x86_64 0:2.54.2-2.el7 glibc.x86_64 0:2.17-222.el7
glibc-common.x86_64 0:2.17-222.el7 gnupg2.x86_64 0:2.0.22-5.el7_5
gzip.x86_64 0:1.5-10.el7 hwdata.x86_64 0:0.252-8.8.el7
info.x86_64 0:5.1-5.el7 initscripts.x86_64 0:9.49.41-1.el7_5.2
iproute.x86_64 0:4.11.0-14.el7 iprutils.x86_64 0:2.4.15.1-1.el7
iptables.x86_64 0:1.4.21-24.1.el7_5 irqbalance.x86_64 3:1.0.7-11.el7
iwl100-firmware.noarch 0:39.31.5.1-62.2.el7_5 iwl1000-firmware.noarch 1:39.31.5.1-62.2.el7_5
iwl105-firmware.noarch 0:18.168.6.1-62.2.el7_5 iwl135-firmware.noarch 0:18.168.6.1-62.2.el7_5
iwl2000-firmware.noarch 0:18.168.6.1-62.2.el7_5 iwl2030-firmware.noarch 0:18.168.6.1-62.2.el7_5
iwl3160-firmware.noarch 0:22.0.7.0-62.2.el7_5 iwl3945-firmware.noarch 0:15.32.2.9-62.2.el7_5
iwl4965-firmware.noarch 0:228.61.2.24-62.2.el7_5 iwl5000-firmware.noarch 0:8.83.5.1_1-62.2.el7_5
iwl5150-firmware.noarch 0:8.24.2.2-62.2.el7_5 iwl6000-firmware.noarch 0:9.221.4.1-62.2.el7_5
iwl6000g2a-firmware.noarch 0:17.168.5.3-62.2.el7_5 iwl6000g2b-firmware.noarch 0:17.168.5.2-62.2.el7_5
iwl6050-firmware.noarch 0:41.28.5.1-62.2.el7_5 iwl7260-firmware.noarch 0:22.0.7.0-62.2.el7_5
iwl7265-firmware.noarch 0:22.0.7.0-62.2.el7_5 kernel-tools.x86_64 0:3.10.0-862.14.4.el7
kernel-tools-libs.x86_64 0:3.10.0-862.14.4.el7 kexec-tools.x86_64 0:2.0.15-13.el7_5.2
kmod.x86_64 0:20-21.el7 kmod-libs.x86_64 0:20-21.el7
kpartx.x86_64 0:0.4.9-119.el7_5.1 krb5-libs.x86_64 0:1.15.1-19.el7
libacl.x86_64 0:2.2.51-14.el7 libattr.x86_64 0:2.4.46-13.el7
libblkid.x86_64 0:2.23.2-52.el7_5.1 libcom_err.x86_64 0:1.42.9-12.el7_5
libcurl.x86_64 0:7.29.0-46.el7 libdb.x86_64 0:5.3.21-24.el7
libdb-utils.x86_64 0:5.3.21-24.el7 libdrm.x86_64 0:2.4.83-2.el7
libgcc.x86_64 0:4.8.5-28.el7_5.1 libgomp.x86_64 0:4.8.5-28.el7_5.1
libmount.x86_64 0:2.23.2-52.el7_5.1 libpciaccess.x86_64 0:0.14-1.el7
libpwquality.x86_64 0:1.2.3-5.el7 libselinux.x86_64 0:2.5-12.el7
libselinux-python.x86_64 0:2.5-12.el7 libselinux-utils.x86_64 0:2.5-12.el7
libsemanage.x86_64 0:2.5-11.el7 libsepol.x86_64 0:2.5-8.1.el7
libss.x86_64 0:1.42.9-12.el7_5 libstdc++.x86_64 0:4.8.5-28.el7_5.1
libteam.x86_64 0:1.27-4.el7 libuser.x86_64 0:0.60-9.el7
libuuid.x86_64 0:2.23.2-52.el7_5.1 linux-firmware.noarch 0:20180220-62.2.git6d51311.el7_5
logrotate.x86_64 0:3.8.6-15.el7 lvm2.x86_64 7:2.02.177-4.el7
lvm2-libs.x86_64 7:2.02.177-4.el7 mariadb-libs.x86_64 1:5.5.60-1.el7_5
microcode_ctl.x86_64 2:2.1-29.16.el7_5 mokutil.x86_64 0:12-2.el7
mozjs17.x86_64 0:17.0.0-20.el7 nspr.x86_64 0:4.19.0-1.el7_5
nss.x86_64 0:3.36.0-7.el7_5 nss-softokn.x86_64 0:3.36.0-5.el7_5
nss-softokn-freebl.x86_64 0:3.36.0-5.el7_5 nss-sysinit.x86_64 0:3.36.0-7.el7_5
nss-tools.x86_64 0:3.36.0-7.el7_5 nss-util.x86_64 0:3.36.0-1.el7_5
numactl-libs.x86_64 0:2.0.9-7.el7 openldap.x86_64 0:2.4.44-15.el7_5
openssh.x86_64 0:7.4p1-16.el7 openssh-clients.x86_64 0:7.4p1-16.el7
openssh-server.x86_64 0:7.4p1-16.el7 openssl.x86_64 1:1.0.2k-12.el7
openssl-libs.x86_64 1:1.0.2k-12.el7 pam.x86_64 0:1.1.8-22.el7
parted.x86_64 0:3.1-29.el7 pciutils-libs.x86_64 0:3.5.1-3.el7
plymouth.x86_64 0:0.8.9-0.31.20140113.el7.centos plymouth-core-libs.x86_64 0:0.8.9-0.31.20140113.el7.centos
plymouth-scripts.x86_64 0:0.8.9-0.31.20140113.el7.centos policycoreutils.x86_64 0:2.5-22.el7
polkit.x86_64 0:0.112-14.el7 procps-ng.x86_64 0:3.3.10-17.el7_5.2
python.x86_64 0:2.7.5-69.el7_5 python-firewall.noarch 0:0.4.4.4-15.el7_5
python-libs.x86_64 0:2.7.5-69.el7_5 python-perf.x86_64 0:3.10.0-862.14.4.el7
python-slip.noarch 0:0.4.0-4.el7 python-slip-dbus.noarch 0:0.4.0-4.el7
rpm.x86_64 0:4.11.3-32.el7 rpm-build-libs.x86_64 0:4.11.3-32.el7
rpm-libs.x86_64 0:4.11.3-32.el7 rpm-python.x86_64 0:4.11.3-32.el7
rsyslog.x86_64 0:8.24.0-16.el7_5.4 selinux-policy.noarch 0:3.13.1-192.el7_5.6
selinux-policy-targeted.noarch 0:3.13.1-192.el7_5.6 setup.noarch 0:2.8.71-9.el7
shared-mime-info.x86_64 0:1.8-4.el7 shim-x64.x86_64 0:12-2.el7
sudo.x86_64 0:1.8.19p2-14.el7_5 systemd.x86_64 0:219-57.el7_5.3
systemd-libs.x86_64 0:219-57.el7_5.3 systemd-sysv.x86_64 0:219-57.el7_5.3
tar.x86_64 2:1.26-34.el7 teamd.x86_64 0:1.27-4.el7
tuned.noarch 0:2.9.0-1.el7_5.2 tzdata.noarch 0:2018e-3.el7
util-linux.x86_64 0:2.23.2-52.el7_5.1 vim-minimal.x86_64 2:7.4.160-4.el7
virt-what.x86_64 0:1.18-4.el7 wpa_supplicant.x86_64 1:2.6-9.el7
xfsprogs.x86_64 0:4.5.0-15.el7 yum.noarch 0:3.4.3-158.el7.centos
yum-plugin-fastestmirror.noarch 0:1.1.31-46.el7_5

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: I believe CentOS repos have been compromised

Post by TrevorH » 2018/09/29 19:39:35

You boot the VM from the installation media in rescue mode. Also, what is the exact error that you are seeing?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

enseva
Posts: 25
Joined: 2018/09/29 18:30:50

Re: I believe CentOS repos have been compromised

Post by enseva » 2018/09/29 19:40:00

TrevorH wrote:
2018/09/29 19:26:42
Just because google returns a bunch of malicious links to a search done by you does not mean that our repos have been compromised. The same search done here doesn't return those links. I am going to remove those links from your post as there's no point in having pointers to known malicious content even when it's obscured.

There was a recent update to the "shim" packages that are used for secure boot. It's much more likely that your machine has applied that and something about your configuration has broken as a result. All CentOS packages are GPG signed and unless you've done something stupid like disable GPG checking for the base and updates repos then any compromised package would need to have been signed by the official CentOS 7 signing key.

What sort of VM is this? When was it created and what leads you to believe that there is a corrupt or missing EFI file? What file is missing?
I think you might be taking this personally without thinking rationally.

It's entirely possible a single mirror to which I connected was compromised. It's highly suspicious that an update roles in the last 24 hours and suddenly every new machine I update gets borked.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: I believe CentOS repos have been compromised

Post by TrevorH » 2018/09/29 19:44:20

No, it's not possible. Even if the mirror had been compromised, the packages on there are all signed using GPG. Out of the box, without modification, yum is configured to check all packages for the correct and known GPG signatures and will refuse to put those on if they are unsigned. So the only way that a compromised package could be there would be if the entire CentOS infrastructure had been compromised and the GPG private key and passphrase had been stolen and used to sign those compromised packages. So now we go from "a mirror is compromised" to "the CentOS signing key has been stolen" and that's a) much more serious and b) much more unlikely since only 3 people to my knowledge have access to it and also know the passphrase.

Your analysis is flawed. So far there is no sign that your machine has been compromised. All we know so far is that it does not boot after an update and that Google's tailored results send you a bunch of malicious links.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply