Bug 1272472 (CVE-2015-7837) - CVE-2015-7837 kernel: securelevel disabled after kexec
Summary: CVE-2015-7837 kernel: securelevel disabled after kexec
Status: CLOSED ERRATA
Alias: CVE-2015-7837
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20151014,reported=2...
Keywords: Security
Depends On: 1273220 1243998 1273216 1273217 1273218 1273219 1273221
Blocks: 1247887
TreeView+ depends on / blocked
 
Reported: 2015-10-16 13:25 UTC by Adam Mariš
Modified: 2019-06-11 11:13 UTC (History)
23 users (show)

(edit)
A flaw was found in the way the Linux kernel handled the securelevel functionality after performing a kexec operation. A local attacker could use this flaw to bypass the security mechanism of the securelevel/secureboot combination.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:44:12 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2152 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2015-11-20 00:56:02 UTC
Red Hat Product Errata RHSA-2015:2411 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2015-11-19 11:24:06 UTC

Description Adam Mariš 2015-10-16 13:25:20 UTC
A vulnerability was found in kexec, allowing the attacker to bypass the security mechanism of securelevel/secureboot combination.

When the kernel was booted with UEFI Secure Boot enabled, securelevel is set. If kexec (either through crash or admin action) is then used to load the same kernel, after reboot securelevel is disabled. In this state, the system is missing the protections provided by securelevel, for example kexec may be used to load an unsigned kernel via the legacy system call kexec_load. In the securelevel patchset, the state of UEFI Secure Boot is queried in the EFI stub, and sets a boot_params flag to indicate the state of UEFI Secure Boot. This flag is then used in setup_arch() to determine the correct state of securelevel. If the kernel is not booted via the EFI stub, securelevel is not set even if UEFI Secure Boot is enabled.

Patch can be found in product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1243998#c3

Upstream patch:

https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798

CVE assignment:

http://seclists.org/oss-sec/2015/q4/85

Comment 1 Adam Mariš 2015-10-16 16:23:23 UTC
Acknowledgments:

Red Hat would like to thank Linn Crosetto of HP for reporting this issue.

Comment 3 Wade Mealing 2015-10-20 03:38:50 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7, kernel-rt and MRG-2.

Comment 6 errata-xmlrpc 2015-11-19 13:22:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2411 https://rhn.redhat.com/errata/RHSA-2015-2411.html

Comment 7 errata-xmlrpc 2015-11-19 23:22:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2152 https://rhn.redhat.com/errata/RHSA-2015-2152.html

Comment 8 errata-xmlrpc 2015-11-19 23:27:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2152 https://rhn.redhat.com/errata/RHSA-2015-2152.html


Note You need to log in before you can comment on or make changes to this bug.