REDHAT-BUG-1844316
First published: Fri Jun 05 2020(Updated: )
A PGP signature bypass was found in fwupd, which could lead to possible installation of unsigned firmware. As per upstream: * For Red Hat Enterprise Linux 7: LVFS (LVFS (Linux Vendor Firmware Service) is: a secure portal which allows hardware vendors to upload firmware updates. The site is used by all major Linux distributions to provide metadata for clients such as fwupdmgr and GNOME Software.) was never enabled there although the PGP bypass is possible but not implementable. * For Red Hat Enterprise Linux 8: The LVFS is disabled and never used the Amazon CDN. PGP bypass possible, but not implementable. More information available at: <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=1841462">https://bugzilla.redhat.com/show_bug.cgi?id=1841462</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Enterprise Linux | =7=8 | |
| fwupd-signed |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1841462
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1844317
- https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
- https://github.com/fwupd/fwupd/commit/21f2d12
- https://github.com/hughsie/libjcat/commit/839b89f
- https://access.redhat.com/errata/RHSA-2020:4436
- https://access.redhat.com/security/cve/cve-2020-10759
- https://bugzilla.redhat.com/show_bug.cgi?id=1844316
Frequently Asked Questions
What is the severity of REDHAT-BUG-1844316?
The severity of REDHAT-BUG-1844316 is considered high due to the potential risk of installing unsigned firmware.
How do I fix REDHAT-BUG-1844316?
To fix REDHAT-BUG-1844316, ensure that you update the fwupd to the latest version provided by Red Hat.
Which versions of Red Hat Enterprise Linux are affected by REDHAT-BUG-1844316?
Red Hat Enterprise Linux versions 7 and 8 are affected by REDHAT-BUG-1844316.
What are the implications of REDHAT-BUG-1844316?
The implications of REDHAT-BUG-1844316 include the potential for unauthorized firmware installations, compromising system integrity.
Is fwupd the only software affected by REDHAT-BUG-1844316?
Yes, fwupd is the primary software affected by REDHAT-BUG-1844316 in the context of Red Hat Enterprise Linux.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-10759
- agent/source
- agent/severity
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat enterprise linux
- canonical/fwupd-signed