Bug 1163969 (CVE-2019-14575)

Summary: VUL-0: CVE-2019-14575: ovmf: DxeImageVerificationHandler() fails open in case of dbx signature check
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: glin, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/252702/
See Also: http://bugzilla.tianocore.org/show_bug.cgi?id=1608
Whiteboard: CVSSv3.1:SUSE:CVE-2019-14575:7.1:(AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2020-02-17 15:36:54 UTC
CVE-2019-14575

Function DxeImageVerificationHandler() does not properly check whether an unsigned EFI file should be allowed or not. If a .efi image is both in the whitelist and in the blacklist, it is not supposed to load but if certain operations fail it will be loaded anyway, thus bypassing the verification.

DxeImageVerificationHandler() has specific code to handle .efis that aren't signed, but should be allowed to run. To do this, it hashes the .efi image, and then compares the image against a blacklist (dbx) and a whitelist (db). A situation could occur where a hash is both in the dbx and db list. This is supposed to fail. since it's in the dbx list. Because of the way a signature is looked up in dbx (using IsSignatureFoundInDatabase() return value) any failure (e.g. allocation failure, looking up the variable failure, ...) will be seen as signature not found in database. This logic allows for bypassing the dbx looking and loading of an unsigned .efi image that should not be loaded.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1736862
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14575
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14575.html
Comment 1 Alexandros Toptsoglou 2020-02-17 15:43:39 UTC
No fix is currently merged upstream. However, v5 attachment in upstream bug [1] is proposed. Some additional references at [2]

[1] https://bugzilla.tianocore.org/show_bug.cgi?id=1608
[2] https://edk2.groups.io/g/devel/message/53866
Comment 2 Gary Ching-Pang Lin 2020-02-20 04:25:29 UTC
The fixes are released.

fbb96072233b5eaecf4d229cbee47b13dcab39e1
SecurityPkg/DxeImageVerificationLib: Fix memory leaks (CVE-2019-14575)

c13742b180095e5181e41dffda954581ecbd9b9c
SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX (CVE-2019-14575)

9e569700901857d0ba418ebdd30b8086b908688c
SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575)

929d1a24d12822942fd4f9fa83582e27f92de243
SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx (CVE-2019-14575)

adc6898366298d1f64b91785e50095527f682758
SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code (CVE-2019-14575)

a83dbf008cc73406cbdc0d5ac3164cc19fff6683
SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1) (CVE-2019-14575)

5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da
SecurityPkg/DxeImageVerificationLib: tighten default result (CVE-2019-14575)

cb30c8f25162e6d8142c6b098f14c1e4e7f125ce
SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx() (CVE-2019-14575)

b1c11470598416c89c67b75c991fd0773bcbab9d
SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2) (CVE-2019-14575)

c230c002accc4281ccc57bba7153a9b2d9b9ccd3
SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase name (CVE-2019-14575)
Comment 4 Gary Ching-Pang Lin 2020-02-26 02:43:04 UTC
The fix is submitted.
Comment 5 Swamp Workflow Management 2020-02-26 20:12:00 UTC
SUSE-SU-2020:0495-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1077330,1094291,1163927,1163959,1163969
CVE References: CVE-2018-0739,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575
Sources used:
SUSE OpenStack Cloud 7 (src):    ovmf-2015+git1462940744.321151f-19.10.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ovmf-2015+git1462940744.321151f-19.10.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ovmf-2015+git1462940744.321151f-19.10.3
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ovmf-2015+git1462940744.321151f-19.10.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-03-03 14:20:49 UTC
SUSE-SU-2020:0568-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1153072,1163927,1163959,1163969
CVE References: CVE-2019-14553,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    ovmf-2017+git1510945757.b2662641d5-5.29.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-03-08 20:11:32 UTC
openSUSE-SU-2020:0314-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1153072,1163927,1163959,1163969
CVE References: CVE-2019-14553,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575
Sources used:
openSUSE Leap 15.1 (src):    ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1
Comment 8 Swamp Workflow Management 2020-03-16 20:14:13 UTC
SUSE-SU-2020:0699-1: An update that fixes four vulnerabilities is now available.

Category: security (low)
Bug References: 1153072,1163927,1163959,1163969
CVE References: CVE-2019-14553,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    ovmf-2017+git1510945757.b2662641d5-3.23.1
SUSE Linux Enterprise Server 12-SP4 (src):    ovmf-2017+git1510945757.b2662641d5-3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Alexandros Toptsoglou 2020-06-30 07:48:08 UTC
Done