Bug 2177862 (CVE-2022-2503) - CVE-2022-2503 kernel: LoadPin bypass via dm-verity table reload
Summary: CVE-2022-2503 kernel: LoadPin bypass via dm-verity table reload
Keywords:
Status: NEW
Alias: CVE-2022-2503
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2012340 2061574 2090507 2177893 2177894 2177895 2177896 2177899 2177900 2183114 2183115 2183116 2183117
Blocks: 2177863
TreeView+ depends on / blocked
 
Reported: 2023-03-13 17:50 UTC by Pedro Sampaio
Modified: 2024-01-04 13:53 UTC (History)
39 users (show)

Fixed In Version: Kernel 5.19 RC1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module and firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification until reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5627 0 None None None 2023-10-10 16:26:21 UTC

Description Pedro Sampaio 2023-03-13 17:50:17 UTC 
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5

https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m
https://security.netapp.com/advisory/ntap-20230214-0005/
Comment 8 Mauro Matteo Cascella 2023-09-13 10:56:15 UTC 
This issue was fixed upstream in kernel version 5.19. The kernel packages as shipped in following Red Hat products were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:8267

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:7933
Comment 9 errata-xmlrpc 2023-10-10 16:26:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627
Note You need to log in before you can comment on or make changes to this bug.