oss-sec mailing list archives
CVE-2016-8637: dracut creates world readble initramfs when early cpio is used
From: Andreas Stieger <astieger () suse com>
Date: Mon, 7 Nov 2016 06:35:31 -0500
Hello, An openSUSE community user reported a permissions oddity with his initramfs. Upon further analysis this issued turns out to be a local information disclosure issue in dracut. SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1008340 Dracut generates initramfs images with world-readable permissions when using "early cpio", such as when including microcode updates. Local users may use this to obtain information from these files, typically encryption keys and network storage credentials. E.g. in dracut 037 https://github.com/dracutdevs/dracut/blob/037/dracut.sh if [[ $create_early_cpio = yes ]]; then echo 1 > "$early_cpio_dir/d/early_cpio" # The microcode blob is _before_ the initramfs blob, not after (cd "$early_cpio_dir/d"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile) fi if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \ $compress >> "$outfile"; ); then dfatal "dracut: creation of $outfile failed" exit 1 fi The permissions of the output file depend on umask at creation time, and appending to an existing file does not change them. create_early_cpio is set to on when microcode updates are being used. The very similar vulnerability CVE-2012-4453 was reported and fixed in 024: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=e1b48995c26c4f06d1a718539cb1bd5b0179af91 However the addition of microcode update support in 030 re-introduced the issue: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=5f2c30d9bcd614d546d5c55c6897e33f88b9ab90 The vulnerability remains in current git master, which does something along the lines of: if [early_cpio] cpio [...] > ${DRACUT_TMPDIR}/initramfs.img umask 0077 cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile" Our fix in upstream master: http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=0db98910a11c12a454eac4c8e86dc7a7bbc764a4 CVE-2016-8637 was assigned to this issue. The local workaround is to adjust the permissions of the initramfs files manually, and all back-ported patches will set umask to a suitable value such as 077 prior to first writing the file. For the SUSE Security Team, Andreas Stieger -- Andreas Stieger <astieger () suse com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2016-8637: dracut creates world readble initramfs when early cpio is used Andreas Stieger (Nov 07)