Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 15 Oct 2015 12:58:50 -0400 (EDT)
From: cve-assign@...re.org
To: wmealing@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request - Linux kernel - securelevel/secureboot bypass.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> When the kernel was booted with UEFI Secure Boot enabled, securelevel
> is set. If kexec (either through crash or admin action) is then used
> to load the same kernel, after reboot securelevel is disabled. In this
> state, the system is missing the protections provided by securelevel,
> for example kexec may be used to load an unsigned kernel via the
> legacy system call kexec_load.
> 
> In the securelevel patchset, the state of UEFI Secure Boot is queried
> in the EFI stub, and sets a boot_params flag to indicate the state of
> UEFI Secure Boot. This flag is then used in setup_arch() to determine
> the correct state of securelevel. If the kernel is not booted via the
> EFI stub, securelevel is not set even if UEFI Secure Boot is enabled.
> 
> TLDR: this allows a bypass the security mechanism of
> securelevel/secureboot combination.
> 
> This patchset affects Red Hat specific kernels as secureboot is not
> fully fully implemented upstream yet.

As far as we can tell, you are reporting an issue in functionality
that was developed for a Red Hat product. Because identical
functionality is not currently offered elsewhere, a CVE ID can be
assigned without considering the details of the securelevel behavior
that may later be implemented (or considered optimal) outside of Red
Hat. In other words, within (at least) the Red Hat product, "If the
kernel is not booted via the EFI stub, securelevel is not set even if
UEFI Secure Boot is enabled" is unquestionably incorrect behavior.

Use CVE-2015-7837.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWH9r7AAoJEL54rhJi8gl5TUkP/juU8uF2oSvn+q9wmrT0k7q1
zLxI2K9pxoryQq8EBSpQDelo97fe5QPAkQ/A1abN7kvNzSnfcLOvO9fW6KZyvOAY
Vc8qXf+3aQaGheqUWiuVnWTZtIbBvzLpVAiHIXhzYzz3bQ1SfXakdZVBum5d+X6U
cpZ2LYNUqV7RMJsM2cf/1XxeV7QHF0Q6QweyYWO4jZ9ijBVugEo+rK2uSFE5C3u5
8KSttFfEOJuAtfcPVZRUnrsc9cBON6VCJe0t+3dTrDJ3UQCPgOJda4AUKDzdQS3t
P9s24gZe5X+iquHonyLXNXiVbJS6CcSV9A0reYROwUMCI8/9tI5OezO65xraX1Q2
biO/KfO5iITCpFdf+EGH462P2LiNNpxx0ADJPxuxaABJhNS2NTCWer7y4OR6lbYN
16yWE3m4IfBhvoJjRPHoAHn/p+zzhPibnksyZbyPQJlj8Mw5ahYoAoaW5rBjmSTO
qu4RokLFIDbmdYyt9/6aXi6Y4rTobZ8MWdH+qjJu29e9SOT0aCU1qEzXA2TWqZtE
EwfwB2ZlP1XnmbBVBNMY9vuDdfEHFc3EABizcf/XwLr9t5sHJOg6GHbr3oln91T0
iAu3xAeWEEpyhqHANPx7x1pZTtgIfAdBofvsqHrKgP/Dj4MlXL29X2oO4nlnEsK4
xTCrWQkKNwm/ZzHYnYJW
=2iBw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.