Bug 1008340 - (CVE-2016-8637) VUL-1: CVE-2016-8637: dracut: creates world readable initramfs when early cpio is used
(CVE-2016-8637)
VUL-1: CVE-2016-8637: dracut: creates world readable initramfs when early cpi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
x86-64 openSUSE 13.2
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/174360/
CVSSv2:SUSE:CVE-2016-8637:2.1:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-03 15:12 UTC by c unix
Modified: 2021-03-02 16:25 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proposed patch againd git master (1022 bytes, patch)
2016-11-04 12:22 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description c unix 2016-11-03 15:12:38 UTC
With dracut-037-17.33.1.x86_64 and ucode-intel-20140913-4.1.x86_64 installed, a created initrd gets these permissions:

Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)


Without the ucode package installed or when running dracut with the option "--no-early-microcode", the permissions of the initrd are:

Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)


In both cases the file access should be restricted as seen in the second example.

Otherwise any user can read roots private files that are included in the initrd - for example keyfiles.


If this is a bug, security might be affected.
Comment 1 Andreas Stieger 2016-11-03 15:32:54 UTC
(In reply to not provided from comment #0)
> security might be affected.

We'll check it out...
Comment 2 Swamp Workflow Management 2016-11-03 23:01:59 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2016-11-04 11:03:05 UTC
The difference does indeed depend on whether create_early_cpio is on, as happens with microcode updates.

From https://github.com/dracutdevs/dracut/blob/037/dracut.sh

> if [[ $create_early_cpio = yes ]]; then
>     echo 1 > "$early_cpio_dir/d/early_cpio"
>     # The microcode blob is _before_ the initramfs blob, not after
>     (cd "$early_cpio_dir/d";     find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile)
> fi
> if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \
>     $compress >> "$outfile"; ); then
>     dfatal "dracut: creation of $outfile failed"
>     exit 1
> fi

Permissions of outfile depend on umask at creation time, and appending does not change them.

Current code and recent changes for UEFI seem to be at least aware, without setting the umask before that.
https://github.com/dracutdevs/dracut/commit/60928f36b6c9a855077506444ea5edbe6be9ec4c

This is a vulnerability if the user expectation is that specific content in the initrd is only accessible to privileged users, and it would be an information disclosure. This was previously the case: 
CVE-2012-4453 - https://bugzilla.redhat.com/show_bug.cgi?id=859448
https://github.com/dracutdevs/dracut/commit/e1b48995c26c4f06d1a718539cb1bd5b0179af91

The above was fixed in 024. Early Microcode update support was added in 030:
https://github.com/dracutdevs/dracut/commit/5f2c30d9bcd614d546d5c55c6897e33f88b9ab90

This seems to remain the case on current git master, here: 

cpio [...] > ${DRACUT_TMPDIR}/initramfs.img
umask 0077
cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img
cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile"
Comment 4 Andreas Stieger 2016-11-04 12:22:19 UTC
Created attachment 700679 [details]
proposed patch againd git master
Comment 5 Andreas Stieger 2016-11-04 12:23:12 UTC
Reported to upstream developer
Comment 6 c unix 2016-11-05 18:34:26 UTC
(In reply to Andreas Stieger from comment #4)
> Created attachment 700679 [details]
> proposed patch againd git master

Thank you very much for the comprehensive examination and quick solution.

After adding "umask 077;" in line 1590 of /usr/bin/dracut locally, a newly created ramdisk with microcode included got the right permissions:

Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Comment 8 Sebastian Krahmer 2016-11-07 11:35:10 UTC
low severity -> VUL-1
Comment 9 Bernhard Wiedemann 2016-11-08 17:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (1008340) was mentioned in
https://build.opensuse.org/request/show/439223 Factory / dracut
Comment 15 Thomas Renninger 2017-02-07 14:25:03 UTC
Looks like the fix got submitted to all relevant SLE repos and maintenance update(s) are pending?
Whatabout leap? At some point of time dracut should get synced to Leap repos and this is in then as well.
Closing already.
Comment 17 Andreas Stieger 2017-02-07 14:31:37 UTC
assigning back to security team
Comment 19 Swamp Workflow Management 2017-03-09 14:09:16 UTC
SUSE-SU-2017:0641-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1005410,1006118,1007925,1008340,1017695,986734,986838
CVE References: CVE-2016-8637
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    dracut-037-91.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    dracut-037-91.1
Comment 21 Swamp Workflow Management 2017-03-16 17:12:00 UTC
openSUSE-SU-2017:0708-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1005410,1006118,1007925,1008340,1017695,986734,986838
CVE References: CVE-2016-8637
Sources used:
openSUSE Leap 42.1 (src):    dracut-037-80.1
Comment 26 Swamp Workflow Management 2017-04-06 13:13:17 UTC
SUSE-SU-2017:0951-1: An update that solves one vulnerability and has 10 fixes is now available.

Category: security (moderate)
Bug References: 1005410,1006118,1007925,1008340,1008648,1017141,1017695,1019938,1020063,1021687,902375
CVE References: CVE-2016-8637
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    dracut-044-108.1
SUSE Linux Enterprise Server 12-SP2 (src):    dracut-044-108.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    dracut-044-108.1
OpenStack Cloud Magnum Orchestration 7 (src):    dracut-044-108.1
Comment 29 Swamp Workflow Management 2017-10-10 19:11:06 UTC
SUSE-SU-2017:2696-1: An update that solves one vulnerability and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1005410,1006118,1007925,1008340,1008648,1017695,1032576,1035743,935320,959803,986734,986838
CVE References: CVE-2016-8637
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    dracut-037-51.31.1
Comment 30 Marcus Meissner 2018-01-15 06:50:29 UTC
released