|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-16837: tboot: Certain function pointers in Trusted Boot (tboot) through 1.9.6 are notvalidated and can cause arbitrary code execution, which allows local users tooverwrite dynamic PCRs of Trusted Platform Module (TPM) by h | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | astieger, matthias.gerstner, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/195090/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2017-16837:7.4:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv2:SUSE:CVE-2017-16837:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv3:RedHat:CVE-2017-16837:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Marcus Meissner
2017-11-16 08:36:07 UTC
This is an autogenerated message for OBS integration: This bug (1068390) was mentioned in https://build.opensuse.org/request/show/542218 Factory / tboot I've reviewed the patch. It is really just a big search/replace operation to only access the global tpm structure via a function call wrapper. Then the previously mixed immutable/mutable data is split in two separate structures. As far as I understand it, the fix is implicit: By moving the immutable function pointers into a constant structure, the corresponding data will be placed in a different ELF segment of the resulting binary, which will then be subject to measurement by the existing tools and code. Upstream has not made a new release based on this bugfix. So I needed to patch even the factory version for now. The backport to SLE-12 is feasible, the backport to SLE-11 will be challenging for sure. For SLE-11 the minor issue from bug 889339 is also still pending due to backporting complexities. For openSUSE codestreams I'll submit the factory version. It should be compatible. Good news for the SUSE:SLE-11-SP2:Update codestream: The function pointers this security issue is about aren't present there. The function pointers seem to have been introduced together with tpm 2.0 compatibility to switch between tpm 1.2 and tpm 2.0 during runtime. The version in SUSE:SLE-11-SP2:Update does not support tpm 2.0 yet and consequently there are no function pointers, just regular functions that will end up in the text segment anyways. Treating it as not affected. This is an autogenerated message for OBS integration: This bug (1068390) was mentioned in https://build.opensuse.org/request/show/542458 42.2 / tboot https://build.opensuse.org/request/show/542460 42.3 / tboot SUSE-SU-2017:3090-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1057555,1068390 CVE References: CVE-2017-16837 Sources used: SUSE Linux Enterprise Server 12-SP3 (src): tboot-20160518_1.9.4-7.5.1 SUSE Linux Enterprise Server 12-SP2 (src): tboot-20160518_1.9.4-7.5.1 done openSUSE-SU-2017:3100-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (important) Bug References: 1041264,1067229,1068390,964408,967441,981948 CVE References: CVE-2017-16837 Sources used: openSUSE Leap 42.3 (src): tboot-20170711_1.9.6-7.1 openSUSE Leap 42.2 (src): tboot-20170711_1.9.6-4.3.1 |