CVE-2015-5281
First published: Thu Sep 17 2015(Updated: )
Quoting from <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=1262904">bug #1262904</a>: """ Description of problem: Long long ago somebody committed <a href="http://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-7.2&id=909ac684df7a662e7afd9d45d546ad97d363d197">http://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-7.2&id=909ac684df7a662e7afd9d45d546ad97d363d197</a> to our grub2 packages in RHEL 7. While the first hunk is correct, the second hunk is pretty much purely wrong. The last two changes got reverted immediately, but the multiboot and multiboot2 modules remained built in. Those modules /should not/ function on UEFI systems, but there's no code in them that actually stops them from doing so, and therefore they allow a user to load non-verified code, such as tools to circumvent Secure Boot. Since Secure Boot is a security feature of RHEL 7, that means this is a security problem in RHEL 7. Version-Release number of selected component (if applicable): It's everything in RHEL 7. How reproducible: 100% of the time; there's no conditional behavior here. The user can do it from the boot menu of there's no password set, or if they've already rooted the machine they can do it from the config file. Steps to Reproduce: 1. write a multiboot module that replaces some EFI runtime call pointers or whatever other attack you might like 2. add it to the configfile to load before the linux kernel, loading the kernel as a mutliboot module. 3. reboot. Actual results: linux thinks secure boot is intact when in fact it has been circumvented and boot time rootkits are present. Expected results: the module is rejected. """
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1262904
- http://pkgs.devel.redhat.com/cgit/rpms/grub2/commit/?h=rhel-7.2&id=909ac684df7a662e7afd9d45d546ad97d363d197
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1252579
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1263195
- https://rhn.redhat.com/errata/RHSA-2015-2401.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1264103
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172611.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172942.html
- http://rhn.redhat.com/errata/RHSA-2015-2401.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/77983
- http://www.securitytracker.com/id/1034198
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5281
- agent/tags
- agent/trending
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0