Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 22 Sep 2016 07:58:47 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: kernel: ACPI table override is allowed when securelevel is enabled

Hello,

A vulnerability was found in the RHEL7 kernel. When RHEL7 is booted with UEFI Secure Boot enabled,
securelevel is set. The kernel uses the state of securelevel to prevent userspace from inserting
untrusted privileged code at runtime.

The ACPI tables provided by firmware can be overwritten using the initrd. From the kernel documentation:

  If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to
  override nearly any ACPI table provided by the BIOS with an instrumented,
  modified one.

RHEL7 has CONFIG_ACPI_INITRD_TABLE_OVERRIDE kernel config option enabled, and will load ACPI tables
appended to the initrd, even if booted with UEFI Secure Boot enabled and securelevel set.

Upstream patch: https://github.com/mjg59/linux/commit/a4a5ed2835e8ea042868b7401dced3f517cafa76

The securelevel patchset was not accepted to an upstream kernel, see http://www.zdnet.com/article/matthew-garrett-is-not-forking-linux/
and https://linux.slashdot.org/story/15/10/06/1553233/matthew-garrett-forks-the-linux-kernel ,it is
maintained now by MJG: https://github.com/mjg59/linux .

CVE-2016-3699 was assigned to this security flaw internally by the Red Hat.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.