Bug 1177315

Summary: VUL-1: shim: does not enforce codesigning certificate in x509 key chain
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Gary Ching-Pang Lin <glin>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bchou, jlee, jsegitz, llzhao, lnussel, pdostal
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2020-10-05 14:16:57 UTC 
NDA SUSE

The current shim code does enforce the Extended Key Usage Attribute "Code Signing" when it uses and checks keys.

Currently:

- shim embeds the SUSE UEFI CA
- It loads signing certs + signatures from EFI binaries.
- it verifies the certs , but it does NOT enforce the Extended Key Usage "CodeSigning" attribute
Comment 2 Marcus Meissner 2020-10-05 14:36:39 UTC 
A problem of the NIAP PP_OS V4.2.1

https://www.niap-ccevs.org/MMO/PP/PP_OS_V4.2.1.pdf

FIA_X509_EXT.1X.509Certificate Validation

...

The OS shall validate the extendedKeyUsage field according to the following
rules:
Certificates used for trusted updates and executable code integrity
verification shall have the Code Signing purpose (id-kp 3 with OID
1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field.

...
Comment 8 Marcus Meissner 2020-10-16 08:14:54 UTC 
make public
Comment 10 Swamp Workflow Management 2020-10-20 19:20:30 UTC 
SUSE-RU-2020:2971-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1177315
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    certification-sles-eal4-15.2+git20201015.eccdcab-5.12.2
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    shim-15+git47-3.11.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    shim-15+git47-3.11.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Gary Ching-Pang Lin 2020-10-22 01:12:52 UTC 
A bug was found in VerifyEKUsInPkcs7Signature() and the patch was sent to edk2 ML yesterday:
https://bugzilla.tianocore.org/show_bug.cgi?id=2459
Comment 12 Marcus Meissner 2020-10-22 06:11:11 UTC 
can you resubmit SUSE:SLE-15-SP1:Update/shim-susesigned with the fix?
Comment 14 Swamp Workflow Management 2020-10-27 17:16:10 UTC 
SUSE-RU-2020:3046-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1177315
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    shim-15+git47-3.13.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    shim-15+git47-3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2021-01-04 08:00:23 UTC 
embargo end was shifted to MARCH

CRD: 2021-03-02
Comment 17 OBSbugzilla Bot 2021-04-22 07:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1177315) was mentioned in
https://build.opensuse.org/request/show/887447 15.2 / shim
Comment 18 Swamp Workflow Management 2021-04-23 16:20:13 UTC 
openSUSE-SU-2021:0598-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (important)
Bug References: 1173411,1174512,1175509,1177315,1177404,1177789,1182057,1184454
CVE References: CVE-2019-14584
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    shim-15.4-lp152.4.8.1
Comment 22 Swamp Workflow Management 2021-05-11 16:15:27 UTC 
SUSE-SU-2021:1564-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1177315,1182057,1185464
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    shim-15.4-3.20.1
SUSE Manager Server 4.0 (src):    shim-15.4-3.20.1
SUSE Manager Retail Branch Server 4.0 (src):    shim-15.4-3.20.1
SUSE Manager Proxy 4.0 (src):    shim-15.4-3.20.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    shim-15.4-3.20.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    shim-15.4-3.20.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    shim-15.4-3.20.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    shim-15.4-3.20.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    shim-15.4-3.20.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    shim-15.4-3.20.1
SUSE Enterprise Storage 6 (src):    shim-15.4-3.20.1
SUSE CaaS Platform 4.0 (src):    shim-15.4-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Marcus Meissner 2021-09-07 12:44:32 UTC 
released
Comment 26 Swamp Workflow Management 2021-09-24 13:21:19 UTC 
SUSE-RU-2021:3224-1: An update that has 12 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    shim-15.4-3.32.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    shim-susesigned-15.4-3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    shim-15.4-3.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-09-24 13:26:03 UTC 
openSUSE-RU-2021:3224-1: An update that has 12 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    shim-susesigned-15.4-3.10.1