Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 7 Nov 2016 06:35:31 -0500
From: Andreas Stieger <astieger@...e.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-8637: dracut creates world readble initramfs when early cpio
 is used

Hello,

An openSUSE community user reported a permissions oddity with his
initramfs. Upon further analysis this issued turns out to be a local
information disclosure issue in dracut.

SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1008340

Dracut generates initramfs images with world-readable permissions when
using "early cpio", such as when including microcode updates. Local
users may use this to obtain information from these files, typically
encryption keys and network storage credentials.

E.g. in dracut 037 https://github.com/dracutdevs/dracut/blob/037/dracut.sh

if [[ $create_early_cpio = yes ]]; then
    echo 1 > "$early_cpio_dir/d/early_cpio"
    # The microcode blob is _before_ the initramfs blob, not after
    (cd "$early_cpio_dir/d";     find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet > $outfile)
fi
if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet | \
    $compress >> "$outfile"; ); then
    dfatal "dracut: creation of $outfile failed"
    exit 1
fi

The permissions of the output file depend on umask at creation time, and
appending to an existing file does not change them. create_early_cpio is
set to on when microcode updates are being used.

The very similar vulnerability CVE-2012-4453 was reported and fixed in 024:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=e1b48995c26c4f06d1a718539cb1bd5b0179af91

However the addition of microcode update support in 030 re-introduced
the issue:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=5f2c30d9bcd614d546d5c55c6897e33f88b9ab90

The vulnerability remains in current git master, which does something
along the lines of:

if [early_cpio]
   cpio [...] > ${DRACUT_TMPDIR}/initramfs.img
umask 0077
cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img
cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile"

Our fix in upstream master:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4

CVE-2016-8637 was assigned to this issue.

The local workaround is to adjust the permissions of the initramfs files
manually, and all back-ported patches will set umask to a suitable value
such as 077 prior to first writing the file.

For the SUSE Security Team,
Andreas Stieger

-- 
Andreas Stieger <astieger@...e.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)





Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.