CVE-2022-1665: Bypassing Secure Boot on Red Hat Enterprise Linux for IBM Power Architecture
The recently discovered CVE-2022-1665 vulnerability affects a set of pre-production kernel packages of Red Hat Enterprise Linux (RHEL) for IBM Power architecture. RHEL is one of the most popular Linux distributions used in enterprise computing, and the IBM Power architecture is a high-performance family of processors. This vulnerability allows attackers to bypass Secure Boot and load non-trusted code on these systems, potentially leading to a serious breach of security.
Vulnerability Background
Secure Boot is a security mechanism designed to ensure that only authenticated software is executed during the boot process. It relies on a chain of trust, with the firmware verifying the bootloader, which in turn verifies the kernel. If any component of this chain is not properly authenticated or has been tampered with, Secure Boot should prevent the system from booting.
Unfortunately, the pre-production kernel packages for RHEL on IBM Power architecture don't have the secure boot lockdown patches applied to them. This means that the grub bootloader can boot them in Secure Boot mode even though it shouldn't. As a result, an attacker can exploit this vulnerability by loading non-trusted code during the boot process.
Code Snippet
To demonstrate the issue, let's examine a portion of the grub configuration that's used to boot the system:
menuentry 'Red Hat Enterprise Linux (4.18.-9.9.prepatch.rc8)' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-4.18.-9.9.prepatch.rc8' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod ext2
set root='hd,gpt3'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root 7e99c7ef-4bb8-454a-9f7c-5ce220f09385
else
search --no-floppy --fs-uuid --set=root 7e99c7ef-4bb8-454a-9f7c-5ce220f09385
fi
linux16 /vmlinuz-4.18.-9.9.prepatch.rc8 root=UUID=de5e6f43-f54a-4594-a1a3-cdbcf5617bbc ro crashkernel=auto rhgb quiet
initrd16 /initramfs-4.18.-9.9.prepatch.rc8
}
Notice the menu entry for the kernel version 4.18.-9.9.prepatch.rc8, which is affected by the vulnerability. The configuration should include a "linuxefi" and "initrdefi" command for proper Secure Boot enforcement instead of the "linux16" and "initrd16" commands above.
Original References
For more details on the vulnerability discovery, the complete disclosure, and suggested mitigations, refer to the following official resources:
1. Red Hat Official Security Advisory: https://access.redhat.com/security/cve/cve-2022-1665
2. Red Hat Knowledgebase Article: https://access.redhat.com/articles/6219501
3. CVE Database Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1665
Exploit Details
An attacker exploiting this vulnerability would need physical access to the target system or be able to compromise the boot process through another vulnerability. Once they have altered the grub configuration or replaced the kernel with a malicious version that doesn't enforce Secure Boot, they can boot the system, bypass the Secure Boot validations, and potentially execute arbitrary code with kernel-level privileges.
Mitigations
Red Hat advises impacted users to remove the affected pre-production kernel packages and update to the latest production version that includes the required secure boot lockdown patches:
`
3. Ensure that the grub configuration is updated and using the correct commands for Secure Boot enforcement, as described above.
Wrapping Up
CVE-2022-1665 is a notable security vulnerability affecting some pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture. By enabling attackers to bypass Secure Boot, this issue can potentially lead to significant security breaches. Red Hat has provided mitigation steps to affected users, and system administrators should remain vigilant in monitoring and securing their systems against this and other vulnerabilities.
Timeline
Published on: 06/21/2022 15:15:00 UTC
Last modified on: 08/18/2022 13:49:00 UTC