A local information disclosure issue was found in dracut when generating initramfs images with world-readable permissions when "early cpio" is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials. Vulnerable code: if [[ $create_early_cpio = yes ]]; then echo 1 > "$early_cpio_dir/d/early_cpio" # The microcode blob is _before_ the initramfs blob, not after (cd "$early_cpio_dir/d"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile) fi if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \ $compress >> "$outfile"; ); then dfatal "dracut: creation of $outfile failed" exit 1 fi The permissions of the output file depend on umask at creation time, and appending to an existing file does not change them. create_early_cpio is set to on when microcode updates are being used.
Acknowledgments: Name: Andreas Stieger (SUSE Security Team)
Created attachment 1217453 [details] Proposed patch
Created dracut tracking bugs for this issue: Affects: fedora-all [bug 1392435]
Public via: http://seclists.org/oss-sec/2016/q4/352
Upstream patch: https://github.com/dracutdevs/dracut/commit/0db98910a11c12a454eac4c8e86dc7a7bbc764a4