|
Message-ID: <3c64dbd2-0216-88f5-d2d1-b2445c7b63f1@suse.com>
Date: Mon, 7 Nov 2016 06:35:31 -0500
From: Andreas Stieger <astieger@...e.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-8637: dracut creates world readble initramfs when early cpio
is used
Hello,
An openSUSE community user reported a permissions oddity with his
initramfs. Upon further analysis this issued turns out to be a local
information disclosure issue in dracut.
SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1008340
Dracut generates initramfs images with world-readable permissions when
using "early cpio", such as when including microcode updates. Local
users may use this to obtain information from these files, typically
encryption keys and network storage credentials.
E.g. in dracut 037 https://github.com/dracutdevs/dracut/blob/037/dracut.sh
if [[ $create_early_cpio = yes ]]; then
echo 1 > "$early_cpio_dir/d/early_cpio"
# The microcode blob is _before_ the initramfs blob, not after
(cd "$early_cpio_dir/d"; find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet > $outfile)
fi
if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null
$cpio_owner_root -H newc -o --quiet | \
$compress >> "$outfile"; ); then
dfatal "dracut: creation of $outfile failed"
exit 1
fi
The permissions of the output file depend on umask at creation time, and
appending to an existing file does not change them. create_early_cpio is
set to on when microcode updates are being used.
The very similar vulnerability CVE-2012-4453 was reported and fixed in 024:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=e1b48995c26c4f06d1a718539cb1bd5b0179af91
However the addition of microcode update support in 030 re-introduced
the issue:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=5f2c30d9bcd614d546d5c55c6897e33f88b9ab90
The vulnerability remains in current git master, which does something
along the lines of:
if [early_cpio]
cpio [...] > ${DRACUT_TMPDIR}/initramfs.img
umask 0077
cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img
cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile"
Our fix in upstream master:
http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4
CVE-2016-8637 was assigned to this issue.
The local workaround is to adjust the permissions of the initramfs files
manually, and all back-ported patches will set umask to a suitable value
such as 077 prior to first writing the file.
For the SUSE Security Team,
Andreas Stieger
--
Andreas Stieger <astieger@...e.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.