889339 – (CVE-2014-5118) VUL-1: CVE-2014-5118: tboot: bypass of measured boot

Bug 889339 (CVE-2014-5118) - VUL-1: CVE-2014-5118: tboot: bypass of measured boot

Summary: VUL-1: CVE-2014-5118: tboot: bypass of measured boot

Status:	RESOLVED FIXED

Alias:	CVE-2014-5118

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Matthias Gerstner
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/104084/
Whiteboard:	CVSSv2:RedHat:CVE-2014-5118:1.7:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-07-29 10:52 UTC by Marcus Meissner
Modified:	2018-11-27 09:41 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-07-29 10:52:49 UTC

via tboot 1.8.2 announcement

The trusted boot loader module "tboot" did not measure all commandline parameters,
which made it possible to pretend a measured boot while there was workaround
possibility (breaking the measured boot chain).

All previous tboot versions < 1.8.2 are affected.

http://sourceforge.net/p/tboot/code/ci/0efdaf7c5348701484d24562e6e5323d85bb94d3/

http://sourceforge.net/p/tboot/mailman/message/32655538/
http://sourceforge.net/p/tboot/mailman/message/32659733/

Comment 1 Swamp Workflow Management 2014-07-29 22:00:26 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2014-08-22 10:46:00 UTC

SLES 12 GA already will have tboot 1.8.2, also in factory.

Comment 3 SMASH SMASH 2014-08-29 08:10:11 UTC

Affected packages:

SLE-11-SP3: tboot
SLE-11-SP3-PRODUCTS: tboot
SLE-11-SP3-UPTU: tboot

Comment 4 Matthias Gerstner 2017-08-03 09:37:06 UTC

I've looked at this bugfix and the backporting situation. Upstream has
improved on the original bugfix in the meantime it seems:

- https://sourceforge.net/p/tboot/code/ci/664e696da669
- https://sourceforge.net/p/tboot/code/ci/848361645fd2

The original and the current bugfix are very difficult to backport, however,
because major changes between 1.7.x and 1.8.x have been made to support UEFI
mainly in this commit

- https://sourceforge.net/p/tboot/code/ci/344

Backporting to SLE-11 would require a deep understanding of tboot internal
data structures, because they've all changed. I don't think this is currently
worth the effort for a VUL-1 bug.

Comment 5 Matthias Gerstner 2017-11-16 15:05:29 UTC

Due to the major bug 1068390 affecting t-boot I'm revisiting this issue for
SLE-11 as well.

The original bugfix mentioned in this bug was replaced by upstream by this
one:

    https://sourceforge.net/p/tboot/code/ci/664e696da669

Basically it puts the burden of excluding the first command line parameter in
the grub2 case onto the user. This means a change of behaviour occurs by way
of this bugfix!

The call to `lcp_mlehash -c "the command line from grub.conf" /boot/tboot.gz`
needs to exclude the first file name from the command line field for the hash
to verify correctly.

I'm currently backporting this very patch to SLE-11 to address this issue.

Comment 7 Swamp Workflow Management 2017-11-29 18:37:36 UTC

SUSE-SU-2017:3114-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1057555,889339
CVE References: CVE-2014-5118
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    tboot-20120115_1.7.0-0.5.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tboot-20120115_1.7.0-0.5.5.1

Comment 8 Matthias Gerstner 2018-11-27 09:41:19 UTC

All affected codestreams are released by now. Closing as fixed.