1515198 – (CVE-2017-16837) CVE-2017-16837 tboot: Incorrect validation of certain function pointers

Bug 1515198 (CVE-2017-16837) - CVE-2017-16837 tboot: Incorrect validation of certain function pointers

Summary: CVE-2017-16837 tboot: Incorrect validation of certain function pointers

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-16837
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1515199
Blocks:	1515202
TreeView+	depends on / blocked

Reported:	2017-11-20 11:37 UTC by Andrej Nemec
Modified:	2019-09-29 14:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-21 07:06:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-11-20 11:37:28 UTC

Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers.

References:

https://sourceforge.net/p/tboot/code/ci/521c58e51eb5be105a29983742850e72c44ed80e/

Comment 1 Andrej Nemec 2017-11-20 11:37:59 UTC

Created tboot tracking bugs for this issue:

Affects: fedora-all [bug 1515199]

Comment 2 Doran Moppert 2017-12-21 07:06:29 UTC

The main issue here is an "evil maid"-style attack, where the attacker has physical access to the target machine and uses this to modify /boot/tboot.gz to run arbitrary code at boot time.  This could be a concern if disk encryption keys are stored sealed in the TPM .. but in this scenario there are lots of other attack vectors (physical/hardware as well), so I see no urgency to fix this.

Note You need to log in before you can comment on or make changes to this bug.