Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Nov 2016 06:35:31 -0500
From: Andreas Stieger <astieger@...e.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-8637: dracut creates world readble initramfs when early cpio
 is used

Hello,

An openSUSE community user reported a permissions oddity with his
initramfs. Upon further analysis this issued turns out to be a local
information disclosure issue in dracut.

SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1008340

Dracut generates initramfs images with world-readable permissions when
using "early cpio", such as when including microcode updates. Local
users may use this to obtain information from these files, typically
encryption keys and network storage credentials.

E.g. in dracut 037 https://github.com/dracutdevs/dracut/blob/037/dracut.sh

if [[ $create_early_cpio = yes ]]; then
    echo 1 > "$early_cpio_dir/d/early_cpio"
    # The microcode blob is _before_ the initramfs blob, not after
    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet > $outfile)
fi
if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet | \
    $compress >> "$outfile"; ); then
    dfatal "dracut: creation of $outfile failed"
    exit 1
fi

The permissions of the output file depend on umask at creation time, and
appending to an existing file does not change them. create_early_cpio is
set to on when microcode updates are being used.

The very similar vulnerability CVE-2012-4453 was reported and fixed in 024:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=e1b48995c26c4f06d1a718539cb1bd5b0179af91

However the addition of microcode update support in 030 re-introduced
the issue:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=5f2c30d9bcd614d546d5c55c6897e33f88b9ab90

The vulnerability remains in current git master, which does something
along the lines of:

if [early_cpio]
   cpio [...] > ${DRACUT_TMPDIR}/initramfs.img
umask 0077
cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img
cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile"

Our fix in upstream master:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4

CVE-2016-8637 was assigned to this issue.

The local workaround is to adjust the permissions of the initramfs files
manually, and all back-ported patches will set umask to a suitable value
such as 077 prior to first writing the file.

For the SUSE Security Team,
Andreas Stieger

-- 
Andreas Stieger <astieger@...e.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)





[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ