Bug 1188080 - (CVE-2021-35039) VUL-0: CVE-2021-35039: kernel-source-azure,kernel-source-rt,kernel-source: kernel loading unsigned kernel modules via init_module syscall
(CVE-2021-35039)
VUL-0: CVE-2021-35039: kernel-source-azure,kernel-source-rt,kernel-source: ke...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/303531/
CVSSv3.1:SUSE:CVE-2021-35039:7.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-07 10:41 UTC by Robert Frohl
Modified: 2022-07-21 20:02 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-07-07 10:41:49 UTC
CVE-2021-35039

kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature
Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that
a kernel module is signed, for loading via init_module, does not occur for a
module.sig_enforce=1 command-line argument.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35039
http://seclists.org/oss-sec/2021/q3/6
https://www.openwall.com/lists/oss-security/2021/07/06/3
https://github.com/torvalds/linux/commit/0c18f29aae7ce3dadd26d8ee3505d07cc982df75
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35039
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12.14
Comment 1 Michal Hocko 2021-07-07 11:29:36 UTC
Jessica, could you have a look please?
Comment 2 Jessica Yu 2021-07-07 11:46:52 UTC
(In reply to Robert Frohl from comment #0)
> CVE-2021-35039
> 
> kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature
> Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification
> that
> a kernel module is signed, for loading via init_module, does not occur for a
> module.sig_enforce=1 command-line argument.
> 
> References:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35039
> http://seclists.org/oss-sec/2021/q3/6
> https://www.openwall.com/lists/oss-security/2021/07/06/3
> https://github.com/torvalds/linux/commit/
> 0c18f29aae7ce3dadd26d8ee3505d07cc982df75
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35039
> https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12.14

The fix is already in our SLE15-SP2 and SLE15-SP3 trees since June, so it should already be included in the latest July MU round. However, this was before the CVE was assigned, so I will update the References in the patch to include the CVE number.
Comment 3 Jessica Yu 2021-07-07 11:53:44 UTC
(In reply to Jessica Yu from comment #2)
> (In reply to Robert Frohl from comment #0)
> > CVE-2021-35039
> > 
> > kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature
> > Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification
> > that
> > a kernel module is signed, for loading via init_module, does not occur for a
> > module.sig_enforce=1 command-line argument.
> > 
> > References:
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35039
> > http://seclists.org/oss-sec/2021/q3/6
> > https://www.openwall.com/lists/oss-security/2021/07/06/3
> > https://github.com/torvalds/linux/commit/
> > 0c18f29aae7ce3dadd26d8ee3505d07cc982df75
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35039
> > https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12.14
> 
> The fix is already in our SLE15-SP2 and SLE15-SP3 trees since June, so it
> should already be included in the latest July MU round. However, this was
> before the CVE was assigned, so I will update the References in the patch to
> include the CVE number.

Ah, and will backport this to the other cve branches where applicable.
Comment 6 Jessica Yu 2021-07-08 13:50:46 UTC
(In reply to Jessica Yu from comment #3)
> (In reply to Jessica Yu from comment #2)
> > (In reply to Robert Frohl from comment #0)
> > > CVE-2021-35039
> > > 
> > > kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature
> > > Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification
> > > that
> > > a kernel module is signed, for loading via init_module, does not occur for a
> > > module.sig_enforce=1 command-line argument.
> > > 
> > > References:
> > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35039
> > > http://seclists.org/oss-sec/2021/q3/6
> > > https://www.openwall.com/lists/oss-security/2021/07/06/3
> > > https://github.com/torvalds/linux/commit/
> > > 0c18f29aae7ce3dadd26d8ee3505d07cc982df75
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35039
> > > https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12.14
> > 
> > The fix is already in our SLE15-SP2 and SLE15-SP3 trees since June, so it
> > should already be included in the latest July MU round. However, this was
> > before the CVE was assigned, so I will update the References in the patch to
> > include the CVE number.
> 
> Ah, and will backport this to the other cve branches where applicable.

According to [1][2], only kernel versions v4.15 and up are affected. Indeed, the commit in the Fixes: tag was only introduced from kernel version v4.15. The exported getter function is_module_sig_enforced() does not exist in older kernels so there are no other subsystems that are relying on sig_enforce, it is a purely local variable to module.c. Thus when CONFIG_MODULE_SIG=n and sig_enforce=1 is set on the cmdline, this essentially is a no-op. So I do not think this needs to be backported to our older kernel branches.

[1] https://seclists.org/oss-sec/2021/q3/6
[2] https://www.openwall.com/lists/oss-security/2021/07/06/3
Comment 7 Marcus Meissner 2021-07-13 13:52:08 UTC
our kernels are built with CONFIG_MODULE_SIG=y

so i would say this issue does not affect our kernels?
Comment 14 Swamp Workflow Management 2021-07-20 16:20:53 UTC
SUSE-SU-2021:2408-1: An update that solves 5 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1170511,1179243,1183871,1184114,1184804,1185308,1185791,1187215,1187585,1188036,1188062,1188080,1188116,1188121,1188176,1188267,1188268,1188269
CVE References: CVE-2021-22555,CVE-2021-33909,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.58.1, kernel-source-azure-5.3.18-18.58.1, kernel-syms-azure-5.3.18-18.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 OBSbugzilla Bot 2021-07-21 11:11:49 UTC
This is an autogenerated message for OBS integration:
This bug (1188080) was mentioned in
https://build.opensuse.org/request/show/907471 15.2 / kernel-source
Comment 18 Swamp Workflow Management 2021-07-21 16:26:30 UTC
SUSE-SU-2021:2438-1: An update that solves 5 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1170511,1179243,1183871,1184114,1184804,1185308,1185791,1187215,1187585,1188036,1188062,1188080,1188116,1188121,1188176,1188267,1188268,1188269
CVE References: CVE-2021-22555,CVE-2021-33909,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    kernel-default-5.3.18-24.75.3, kernel-default-base-5.3.18-24.75.3.9.34.3
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.75.3, kernel-preempt-5.3.18-24.75.3
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.75.3, kernel-livepatch-SLE15-SP2_Update_17-1-5.3.3
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.75.3
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.75.2, kernel-obs-build-5.3.18-24.75.3, kernel-preempt-5.3.18-24.75.3, kernel-source-5.3.18-24.75.2, kernel-syms-5.3.18-24.75.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.75.3, kernel-default-base-5.3.18-24.75.3.9.34.3, kernel-preempt-5.3.18-24.75.3, kernel-source-5.3.18-24.75.2
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.75.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-07-22 10:22:58 UTC
openSUSE-SU-2021:1076-1: An update that solves 5 vulnerabilities and has 24 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1155518,1170511,1176940,1179243,1180092,1183871,1184114,1184804,1185308,1185791,1186206,1187215,1187585,1188036,1188062,1188080,1188116,1188121,1188176,1188267,1188268,1188269,1188405,1188445
CVE References: CVE-2021-22555,CVE-2021-33909,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.84.1, kernel-default-5.3.18-lp152.84.1, kernel-default-base-5.3.18-lp152.84.1.lp152.8.38.1, kernel-docs-5.3.18-lp152.84.1, kernel-kvmsmall-5.3.18-lp152.84.1, kernel-obs-build-5.3.18-lp152.84.1, kernel-obs-qa-5.3.18-lp152.84.1, kernel-preempt-5.3.18-lp152.84.1, kernel-source-5.3.18-lp152.84.1, kernel-syms-5.3.18-lp152.84.1
Comment 22 Swamp Workflow Management 2021-08-03 16:18:20 UTC
SUSE-SU-2021:2599-1: An update that solves four vulnerabilities, contains three features and has 23 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1155518,1170511,1179243,1180092,1183871,1184114,1184804,1185308,1185791,1186206,1187215,1187585,1188036,1188080,1188116,1188121,1188176,1188267,1188268,1188269,1188405,1188525
CVE References: CVE-2021-22555,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: SLE-17042,SLE-17043,SLE-17268
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-45.3, kernel-rt_debug-5.3.18-45.3, kernel-source-rt-5.3.18-45.3, kernel-syms-rt-5.3.18-45.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2021-08-05 15:38:06 UTC
SUSE-SU-2021:2599-2: An update that solves four vulnerabilities, contains three features and has 23 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1152472,1152489,1155518,1170511,1179243,1180092,1183871,1184114,1184804,1185308,1185791,1186206,1187215,1187585,1188036,1188080,1188116,1188121,1188176,1188267,1188268,1188269,1188405,1188525
CVE References: CVE-2021-22555,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612
JIRA References: SLE-17042,SLE-17043,SLE-17268
Sources used:
SUSE MicroOS 5.0 (src):    kernel-rt-5.3.18-45.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-08-10 13:21:23 UTC
openSUSE-SU-2021:2645-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-38.17.1, kernel-source-azure-5.3.18-38.17.1, kernel-syms-azure-5.3.18-38.17.1
Comment 28 Swamp Workflow Management 2021-08-10 13:30:14 UTC
SUSE-SU-2021:2645-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-38.17.1, kernel-source-azure-5.3.18-38.17.1, kernel-syms-azure-5.3.18-38.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2021-08-14 13:26:05 UTC
openSUSE-SU-2021:2687-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-59.19.1, kernel-64kb-5.3.18-59.19.1, kernel-debug-5.3.18-59.19.1, kernel-default-5.3.18-59.19.1, kernel-default-base-5.3.18-59.19.1.18.10.1, kernel-docs-5.3.18-59.19.1, kernel-kvmsmall-5.3.18-59.19.1, kernel-obs-build-5.3.18-59.19.1, kernel-obs-qa-5.3.18-59.19.1, kernel-preempt-5.3.18-59.19.1, kernel-source-5.3.18-59.19.1, kernel-syms-5.3.18-59.19.1, kernel-zfcpdump-5.3.18-59.19.1
Comment 30 Swamp Workflow Management 2021-08-14 13:35:14 UTC
SUSE-SU-2021:2687-1: An update that solves 7 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1065729,1085224,1094840,1113295,1152472,1152489,1153274,1154353,1155518,1156395,1170511,1176447,1176940,1179243,1180092,1180814,1183871,1184114,1184350,1184631,1184804,1185308,1185377,1185791,1186194,1186206,1186482,1186483,1187215,1187476,1187495,1187585,1188036,1188080,1188101,1188121,1188126,1188176,1188267,1188268,1188269,1188323,1188366,1188405,1188445,1188504,1188620,1188683,1188703,1188720,1188746,1188747,1188748,1188752,1188770,1188771,1188772,1188773,1188774,1188777,1188838,1188876,1188885,1188893,1188973
CVE References: CVE-2021-21781,CVE-2021-22543,CVE-2021-35039,CVE-2021-3609,CVE-2021-3612,CVE-2021-3659,CVE-2021-37576
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-59.19.1, kernel-preempt-5.3.18-59.19.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-59.19.1, kernel-livepatch-SLE15-SP3_Update_5-1-7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-59.19.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-59.19.1, kernel-obs-build-5.3.18-59.19.1, kernel-preempt-5.3.18-59.19.1, kernel-source-5.3.18-59.19.1, kernel-syms-5.3.18-59.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-59.19.1, kernel-default-5.3.18-59.19.1, kernel-default-base-5.3.18-59.19.1.18.10.1, kernel-preempt-5.3.18-59.19.1, kernel-source-5.3.18-59.19.1, kernel-zfcpdump-5.3.18-59.19.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-59.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.