CVE-2022-3675: Fedora CoreOS GRUB Bootloader Password Bypass Vulnerability in Non-default OSTree Deployments

In recent Fedora CoreOS releases, a critical security vulnerability (CVE-2022-3675) has been discovered that allows unauthorized users to bypass the GRUB bootloader password authentication process and boot non-default OSTree deployments without supplying a password. This vulnerability effectively allows an attacker with access to the GRUB menu to roll back the system to an older version of Fedora CoreOS, possibly reverting any recently applied security fixes to the machine. However, a password is still required to modify kernel command-line arguments and access the GRUB command-line.

Below is an example of a Butane config file that sets the GRUB bootloader password in Fedora CoreOS

variant: fcos
version: 1..

passwd:
  grub2:
    hashed_password: $6$Z8VXWt6IU$AZWiio/fw_BOKb6pl3yKwcSl7uBjNExMMPd3L9f3uhp71aSJrd4hg6dfzqcPr.UIGJPp2yhDa.fQ.tx.hOhf41

Exploit Details

The vulnerability stems from a misconfiguration in the Linux/unix bootloader GRUB when used by Fedora CoreOS. The password protection provided by the GRUB bootloader for default OSTree deployments remains effective; however, booting into non-default OSTree deployments is allowed without requiring a password. This enables an adversary with physical or remote access to the GRUB menu to boot an older Fedora CoreOS version and potentially exploit any known vulnerabilities present in that deployment.

References

1. Official CVE Record: CVE-2022-3675
2. Fedora CoreOS Documentation: Setting a GRUB password
3. Red Hat Bugzilla Entry: Bug 1995668 - Fedora CoreOS unpassworded grub menu entry
4. Fedora Project Wiki: GRUB 2 Password Protection

Mitigation and Patch

Fedora CoreOS developers are aware of the issue and are currently working on a fix for the vulnerability. In the meantime, system administrators are strongly advised to limit unauthorized access to the physical machine and restrict remote access to the GRUB menu as much as possible.

Additionally, frequently update your Fedora CoreOS deployments to the most recent versions, which include all available security patches, and consider disabling non-default OSTree deployments to prevent unauthorized users from exploiting this vulnerability to revert to older, potentially insecure versions. Subscribe to the official Fedora CoreOS announcements and security channels to stay informed about any fixes or workarounds that are released.

Conclusion

The CVE-2022-3675 vulnerability in Fedora CoreOS presents a significant security risk for systems utilizing the GRUB bootloader password feature. By bypassing the password requirement for non-default OSTree deployments, an attacker with access to the GRUB menu can exploit older, unpatched versions of the CoreOS operating system. It is essential for system administrators to remain vigilant, keep their systems updated, and closely monitor developments regarding the vulnerability and upcoming patches or workarounds.

Timeline

Published on: 11/03/2022 18:15:00 UTC
Last modified on: 03/01/2023 18:04:00 UTC