First published: Fri Oct 16 2015(Updated: )
A vulnerability was found in kexec, allowing the attacker to bypass the security mechanism of securelevel/secureboot combination. When the kernel was booted with UEFI Secure Boot enabled, securelevel is set. If kexec (either through crash or admin action) is then used to load the same kernel, after reboot securelevel is disabled. In this state, the system is missing the protections provided by securelevel, for example kexec may be used to load an unsigned kernel via the legacy system call kexec_load. In the securelevel patchset, the state of UEFI Secure Boot is queried in the EFI stub, and sets a boot_params flag to indicate the state of UEFI Secure Boot. This flag is then used in setup_arch() to determine the correct state of securelevel. If the kernel is not booted via the EFI stub, securelevel is not set even if UEFI Secure Boot is enabled. Patch can be found in product bug: <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2015-7837 kernel: securelevel disabled after kexec [rhel-7.2]" href="show_bug.cgi?id=1243998#c3">https://bugzilla.redhat.com/show_bug.cgi?id=1243998#c3</a> Upstream patch: <a href="https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798">https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798</a> CVE assignment: <a href="http://seclists.org/oss-sec/2015/q4/85">http://seclists.org/oss-sec/2015/q4/85</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =7.2 | |
Redhat Enterprise Linux | =7.3 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.3 | |
Redhat Enterprise Linux Server Aus | =7.4 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Redhat Enterprise Mrg | =2.0 | |
Redhat Kernel-rt | =7.0 | |
debian/linux | 5.10.223-1 5.10.226-1 6.1.106-3 6.1.112-1 6.11.4-1 6.11.5-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2015-7837 is a vulnerability in the Linux kernel that allows local users to bypass secureboot restrictions.
Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 are affected by CVE-2015-7837.
The securelevel/secureboot restrictions can be bypassed in CVE-2015-7837 by leveraging improper handling of the secure_boot flag across kexec reboot.
CVE-2015-7837 has a low severity rating.
To fix CVE-2015-7837, update the Linux kernel to a patched version provided by the respective Linux distribution.