Bug 1201458 (CVE-2022-21505)

Summary: VUL-0: CVE-2022-21505: kernel lockdown bypass via IMA appraisal
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/337174/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-21505:6.7:(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-07-13 08:06:15 UTC 
Via linux-distros:

Hello All,

We recently discovered a bug that allows linux kernel lockdown to be
trivially bypassed using IMA. See the patch, below, for more details.

This has been assigned CVE-2022-21505. We plan to make this public on
2022-07-19 at 10am PT.

jch

~~~
The lockdown LSM is primarily used in conjunction with UEFI Secure Boot.
This LSM may also be used on machines without UEFI. It can also be enabled
when UEFI Secure Boot is disabled. One of lockdown's features is to prevent
kexec from loading untrusted kernels. Lockdown can be enabled through a
bootparam or after the kernel has booted through securityfs.

If IMA appraisal is used with the "ima_appraise=log" boot param,
lockdown can be defeated with kexec on any machine when Secure Boot is
disabled or unavailable. IMA prevents setting "ima_appraise=log"
from the boot param when Secure Boot is enabled, but this does not cover
cases where lockdown is used without Secure Boot.

To defeat lockdown, boot without Secure Boot and add ima_appraise=log
to the kernel command line; then:

$ echo "integrity" > /sys/kernel/security/lockdown
$ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \
/sys/kernel/security/ima/policy
$ kexec -ls unsigned-kernel

Add a call to verify ima appraisal is set to "enforce" whenever lockdown
is enabled.

Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down")
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
---
security/integrity/ima/ima_policy.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index fa5a93dbe5d26..748b97a2582a4 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -2034,6 +2034,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
	if (id >= READING_MAX_ID)
		return false;

+	if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
+	 && security_locked_down(LOCKDOWN_KEXEC))
+		return false;
+
	func = read_idmap[id] ?: FILE_CHECK;

	rcu_read_lock();
--
2.27.0
Comment 3 Carlos López 2022-07-13 08:17:24 UTC 
(In reply to Carlos López from comment #0)
> Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy
> when locked down")

29d3c1c8dfe7 is present in cve/linux-5.3 and newer
Comment 4 Carlos López 2022-07-19 22:23:11 UTC 
Public:
https://www.openwall.com/lists/oss-security/2022/07/19/4
Comment 5 Takashi Iwai 2022-07-21 07:42:56 UTC 
The fix in the upstream commit 543ce63b664e2c2f9533d089a4664b559c3e6b5b
  lockdown: Fix kexec lockdown bypass with ima policy
Comment 6 Takashi Iwai 2022-07-21 07:45:38 UTC 
The fix backported to cve/linux-5.3 and SLE15-SP4 branches.

Reassigned back to security team.
Comment 20 Swamp Workflow Management 2022-08-09 16:28:56 UTC 
SUSE-SU-2022:2722-1: An update that solves 5 vulnerabilities, contains 9 features and has 31 fixes is now available.

Category: security (important)
Bug References: 1190256,1190497,1198410,1198829,1199086,1199291,1199364,1199665,1199670,1200015,1200465,1200494,1200644,1200651,1201258,1201323,1201381,1201391,1201427,1201458,1201471,1201524,1201592,1201593,1201595,1201596,1201635,1201651,1201675,1201691,1201705,1201725,1201846,1201930,1201954,1201958
CVE References: CVE-2021-33655,CVE-2022-1462,CVE-2022-21505,CVE-2022-29581,CVE-2022-32250
JIRA References: SLE-18130,SLE-20183,SLE-21132,SLE-24569,SLE-24570,SLE-24571,SLE-24578,SLE-24635,SLE-24682
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.10.1, kernel-source-azure-5.14.21-150400.14.10.1, kernel-syms-azure-5.14.21-150400.14.10.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.10.1, kernel-source-azure-5.14.21-150400.14.10.1, kernel-syms-azure-5.14.21-150400.14.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-08-10 13:18:32 UTC 
SUSE-SU-2022:2741-1: An update that solves 16 vulnerabilities, contains one feature and has 15 fixes is now available.

Category: security (important)
Bug References: 1178134,1198829,1199364,1199647,1199665,1199670,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201458,1201635,1201636,1201644,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958
CVE References: CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.75.1, kernel-source-azure-5.3.18-150300.38.75.1, kernel-syms-azure-5.3.18-150300.38.75.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.75.1, kernel-source-azure-5.3.18-150300.38.75.1, kernel-syms-azure-5.3.18-150300.38.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2022-08-12 19:17:11 UTC 
SUSE-SU-2022:2803-1: An update that solves 5 vulnerabilities, contains 7 features and has 16 fixes is now available.

Category: security (important)
Bug References: 1190256,1190497,1199291,1199356,1199665,1201258,1201323,1201391,1201458,1201592,1201593,1201595,1201596,1201635,1201651,1201691,1201705,1201726,1201846,1201930,1202094
CVE References: CVE-2021-33655,CVE-2022-21505,CVE-2022-2585,CVE-2022-26373,CVE-2022-29581
JIRA References: SLE-21132,SLE-24569,SLE-24570,SLE-24571,SLE-24578,SLE-24635,SLE-24682
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.18.1, kernel-64kb-5.14.21-150400.24.18.1, kernel-debug-5.14.21-150400.24.18.1, kernel-default-5.14.21-150400.24.18.1, kernel-default-base-5.14.21-150400.24.18.1.150400.24.5.4, kernel-docs-5.14.21-150400.24.18.1, kernel-kvmsmall-5.14.21-150400.24.18.1, kernel-obs-build-5.14.21-150400.24.18.1, kernel-obs-qa-5.14.21-150400.24.18.1, kernel-source-5.14.21-150400.24.18.1, kernel-syms-5.14.21-150400.24.18.1, kernel-zfcpdump-5.14.21-150400.24.18.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1, kernel-livepatch-SLE15-SP4_Update_2-1-150400.9.5.2
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.18.1, kernel-obs-build-5.14.21-150400.24.18.1, kernel-source-5.14.21-150400.24.18.1, kernel-syms-5.14.21-150400.24.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.18.1, kernel-default-5.14.21-150400.24.18.1, kernel-default-base-5.14.21-150400.24.18.1.150400.24.5.4, kernel-source-5.14.21-150400.24.18.1, kernel-zfcpdump-5.14.21-150400.24.18.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-08-15 22:19:40 UTC 
SUSE-SU-2022:2809-1: An update that solves 22 vulnerabilities and has 19 fixes is now available.

Category: security (important)
Bug References: 1114648,1194013,1195478,1195775,1196472,1196901,1197362,1198829,1199487,1199489,1199647,1199648,1199657,1200263,1200442,1200571,1200599,1200604,1200605,1200608,1200619,1200692,1200762,1200905,1200910,1201050,1201080,1201251,1201429,1201458,1201635,1201636,1201644,1201664,1201672,1201673,1201676,1201742,1201752,1201930,1201940
CVE References: CVE-2020-36557,CVE-2020-36558,CVE-2021-26341,CVE-2021-33655,CVE-2021-33656,CVE-2021-4157,CVE-2022-1116,CVE-2022-1462,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-29900,CVE-2022-29901,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33981,CVE-2022-36946
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-obs-build-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Manager Proxy 4.1 (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-obs-build-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-obs-build-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-150200.24.126.1, kernel-livepatch-SLE15-SP2_Update_29-1-150200.5.5.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-obs-build-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-obs-build-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-150200.24.126.1
SUSE Enterprise Storage 7 (src):    kernel-default-5.3.18-150200.24.126.1, kernel-default-base-5.3.18-150200.24.126.1.150200.9.59.2, kernel-docs-5.3.18-150200.24.126.1, kernel-obs-build-5.3.18-150200.24.126.1, kernel-preempt-5.3.18-150200.24.126.1, kernel-source-5.3.18-150200.24.126.1, kernel-syms-5.3.18-150200.24.126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-08-23 16:21:46 UTC 
SUSE-SU-2022:2875-1: An update that solves 18 vulnerabilities, contains one feature and has 18 fixes is now available.

Category: security (important)
Bug References: 1178134,1196616,1198829,1199364,1199647,1199665,1199670,1200015,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958,1202154
CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.90.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.90.1, kernel-64kb-5.3.18-150300.59.90.1, kernel-debug-5.3.18-150300.59.90.1, kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1, kernel-docs-5.3.18-150300.59.90.1, kernel-kvmsmall-5.3.18-150300.59.90.1, kernel-obs-build-5.3.18-150300.59.90.1, kernel-obs-qa-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-syms-5.3.18-150300.59.90.1, kernel-zfcpdump-5.3.18-150300.59.90.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-livepatch-SLE15-SP3_Update_23-1-150300.7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.90.1, kernel-obs-build-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-syms-5.3.18-150300.59.90.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.90.1, kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-zfcpdump-5.3.18-150300.59.90.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-08-25 13:22:10 UTC 
SUSE-SU-2022:2892-1: An update that solves 17 vulnerabilities, contains one feature and has 26 fixes is now available.

Category: security (important)
Bug References: 1178134,1196616,1196867,1198829,1199364,1199647,1199648,1199665,1199670,1199695,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201742,1201752,1201846,1201930,1201940,1201941,1201954,1201956,1201958,1202087,1202154,1202312
CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.99.1, kernel-rt_debug-5.3.18-150300.99.1, kernel-source-rt-5.3.18-150300.99.1, kernel-syms-rt-5.3.18-150300.99.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.99.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.99.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-09-01 15:04:57 UTC 
SUSE-SU-2022:2892-2: An update that solves 17 vulnerabilities, contains one feature and has 26 fixes is now available.

Category: security (important)
Bug References: 1178134,1196616,1196867,1198829,1199364,1199647,1199648,1199665,1199670,1199695,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201742,1201752,1201846,1201930,1201940,1201941,1201954,1201956,1201958,1202087,1202154,1202312
CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-rt-5.3.18-150300.99.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2022-09-01 15:23:52 UTC 
SUSE-SU-2022:2875-2: An update that solves 18 vulnerabilities, contains one feature and has 18 fixes is now available.

Category: security (important)
Bug References: 1178134,1196616,1198829,1199364,1199647,1199665,1199670,1200015,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958,1202154
CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.