Bug 2011862 (CVE-2021-20319) - CVE-2021-20319 coreos-installer: incorrect signature verification on gzip-compressed install images
Summary: CVE-2021-20319 coreos-installer: incorrect signature verification on gzip-com...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20319
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2012771 2012893 2012894 2012895 2012896 2013108
Blocks: 2008108
TreeView+ depends on / blocked
 
Reported: 2021-10-07 14:46 UTC by Przemyslaw Roguski
Modified: 2022-03-08 12:13 UTC (History)
16 users (show)

Fixed In Version: coreos-installer 0.10.1
Doc Type: If docs needed, set a value
Doc Text:
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary data, and achieve full access to the node being installed.
Clone Of:
Environment:
Last Closed: 2021-10-26 20:07:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3926 0 None None None 2021-10-27 07:55:31 UTC
Red Hat Product Errata RHSA-2021:3930 0 None None None 2021-10-27 08:06:56 UTC
Red Hat Product Errata RHSA-2021:3934 0 None None None 2021-10-26 16:01:22 UTC
Red Hat Product Errata RHSA-2021:4008 0 None None None 2021-11-03 20:38:40 UTC

Description Przemyslaw Roguski 2021-10-07 14:46:38 UTC
The coreos-installer is a program to fetch a disk image and stream it to a target disk.
During the installation process the installation image gpg signatures are verified.
The signature verification can be bypassed for gzip-compressed images due to a flaw in gzip coreos-installer wrapper.
When the decoder encounters the gzip trailer, it signals EOF to its output and does not continue reading from its input.
As a result, earlier wrappers don't notice that they've reached EOF.  In particular, the GPG wrapper does not check the exit code of GPG.  Thus, if
an attacker can substitute an attacker-controlled gzipped disk image, installation will complete successfully without a valid signature.

This vulnerability impacts only specific, User-Provisioned Infrastructure (UPI) installation methods where coreos-installer is used and where gzip-compressed images are configured as the installation source.


The Installer-Provisioned Infrastructure (IPI) bare-metal installs do use coreos-installer, but this installation method uses an install image embedded in the live OS image (ISO or PXE image), therefore is not affected by this vulnerability.


This vulnerability is specific to some upstream Fedora CoreOS installation flows.

Comment 3 Przemyslaw Roguski 2021-10-12 06:49:03 UTC
Created rust-coreos-installer tracking bugs for this issue:

Affects: fedora-all [bug 2013108]

Comment 7 errata-xmlrpc 2021-10-26 16:01:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3934 https://access.redhat.com/errata/RHSA-2021:3934

Comment 8 Product Security DevOps Team 2021-10-26 20:07:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20319

Comment 9 errata-xmlrpc 2021-10-27 07:55:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3926 https://access.redhat.com/errata/RHSA-2021:3926

Comment 10 errata-xmlrpc 2021-10-27 08:06:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:3930 https://access.redhat.com/errata/RHSA-2021:3930

Comment 11 errata-xmlrpc 2021-11-03 20:38:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:4008 https://access.redhat.com/errata/RHSA-2021:4008


Note You need to log in before you can comment on or make changes to this bug.