Bugzilla – Bug 889332
VUL-0: CVE-2014-3676: shim: buffer overflow and OOB access in shim trusted code path
Last modified: 2020-10-16 10:27:55 UTC
Using shim latest git commit 81ee561dde0213bc487aa1b701799f6d2faeaf31 shim contains a OOB access in get_v6_bootfile_url(), trusting option->Length and advancing the ptr to OOB. Also theres an overflow in str2ip6() that takes as an argument the tftp:// url ipv6 address, parsed from the dhcpv6 packet and doesnt expect so many ':' inside the loop: static UINT16 ip[8]; for(i=0; i < 8; i++) { ip[i] = 0; } len = strlen(str); a = b = str; for(i=p=0; i < len; i++, b++) { if (*b != ':') continue; *b = '\0'; ip[p++] = str2ns(a); *b = ':'; a = b + 1; if ( *(b+1) == ':' ) break; } so that "a:a:a:a:a:a:a:a:a:a:a:a:a" will overwrite ip array. Input is at most 40bytes, as checked in the dhcpv6 parsing, but this suffices to cause a segfault via the memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); call triggered by user input via a dhcpv6 packet.
Note that this overflow is a potential code execution vulnerability while running in the trusted boot path, e.g. you can execute code at the highest privilege level possible on such UEFI secure boot machine.
bugbot adjusting priority
Created attachment 600372 [details] patch for both issues .
Affected packages: SLE-11-SP3: shim
Notified Peter Jones and added him to this bug. We're discussing on how to proceed.
Looks like there is more OOB indeed when enrolling MoK's which seem to be user input from a file.
static UINT32 count_keys(void *Data, UINTN DataSize) that is basically operating on user data taken from a input file blindly trusts SignatureListSize, that can be used to create OOB memory reads or making it loop forever if SignatureListSize is 0.
Similar with the call to build_mok_list() which follows count_keys() and operates on the same input data w/o any boundary checks.
Created attachment 602006 [details] MOK OOB patch patch for MOK OOB access. Both patches need to be applied to fix all issues.
So I will request 3 CVE's later on: 1. OOB access when parsing DHCPv6 option list (DoS) 2. Heap overflow when parsing ipv6 address (RCE) 3. OOB access when parsing MOK List/Certificates on MOK enrollment (DoS) 1+2 are fixed with first patch, 3 is fixed with second patch.
Via Kurt Seifried: Please use the following CVEs: CVE-2014-3675 shim OOB read access when parsing DHCPv6 packets (remote DoS). CVE-2014-3676 shim Heap overflow when parsing IPv6 addresses provided by tftp:// DHCPv6 boot option (RCE). CVE-2014-3677 shim Memory corruption when processing user provided MOK lists.
New CRD is Oct. 13th.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-10-20. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59352
SUSE-SU-2014:1619-1: An update that solves three vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 813448,863205,866690,875385,889332,889765 CVE References: CVE-2014-3675,CVE-2014-3676,CVE-2014-3677 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): gnu-efi-3.0u-0.7.2 SUSE Linux Enterprise Server 11 SP3 for VMware (src): gnu-efi-3.0u-0.7.2, shim-0.7.318.81ee561d-0.9.2 SUSE Linux Enterprise Server 11 SP3 (src): gnu-efi-3.0u-0.7.2, shim-0.7.318.81ee561d-0.9.2 SUSE Linux Enterprise Desktop 11 SP3 (src): shim-0.7.318.81ee561d-0.9.2
all updates were released (openSUSE didn't show up, but an update for 13.1 went out. 13.2 already had a fixed shim)
The update says ┌───────────────────────────────────────────────────────────────┐ │ ┌──────────────────────────────────────────────────────────┐ │ │ │Patch openSUSE-2015-48-1.noarch │ │ │ │ │ │ │ │This update requires you to confirm a dialog on the first │ │ │ │reboot after installing the update! This is only │ │ │ │necessary once. │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────────────────────────────────────────────────┘ │ │ │ │ [OK] │ └───────────────────────────────────────────────────────────────┘ How will this work when I don't have access to screen and keyboard? - JJ
(In reply to Joachim Wagner from comment #44) First you have to clarify if this affects you. See http://lists.opensuse.org/opensuse/2015-01/msg00513.html for details. It's very likely that this doesn't affect you. If you are using a secure boot setup (so bootctl shows you that you used shim to boot your system) then you will either have to find a way to confirm this dialog or you don't install this update.
(In reply to Johannes Segitz from comment #45) Thanks for the quick clarification. The command bootctl seems to be unavailable on openSUSE 12.3. However, as the machine uses legacy BIOS for booting, I guess it won't be affected. JJ
openSUSE-SU-2017:1967-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 798043,807760,808106,813079,813448,841426,863205,866690,867974,872503,873857,875385,877003,889332,889765 CVE References: Sources used: openSUSE 13.1 (src): gnu-efi-3.0u-2.5.1, pesign-0.109-3.9.2, shim-0.7.318.81ee561d-7.2 openSUSE 12.3 (src): gnu-efi-3.0u-6.5.1, pesign-0.109-3.19.1, shim-0.7.318.81ee561d-3.22.1
This is an autogenerated message for OBS integration: This bug (889332) was mentioned in https://build.opensuse.org/request/show/702795 Factory / shim