Bugzilla – Bug 1008340
VUL-1: CVE-2016-8637: dracut: creates world readable initramfs when early cpio is used
Last modified: 2021-03-02 16:25:42 UTC
With dracut-037-17.33.1.x86_64 and ucode-intel-20140913-4.1.x86_64 installed, a created initrd gets these permissions: Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Without the ucode package installed or when running dracut with the option "--no-early-microcode", the permissions of the initrd are: Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) In both cases the file access should be restricted as seen in the second example. Otherwise any user can read roots private files that are included in the initrd - for example keyfiles. If this is a bug, security might be affected.
(In reply to not provided from comment #0) > security might be affected. We'll check it out...
bugbot adjusting priority
The difference does indeed depend on whether create_early_cpio is on, as happens with microcode updates. From https://github.com/dracutdevs/dracut/blob/037/dracut.sh > if [[ $create_early_cpio = yes ]]; then > echo 1 > "$early_cpio_dir/d/early_cpio" > # The microcode blob is _before_ the initramfs blob, not after > (cd "$early_cpio_dir/d"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet > $outfile) > fi > if ! ( umask 077; cd "$initdir"; find . -print0 | cpio --null $cpio_owner_root -H newc -o --quiet | \ > $compress >> "$outfile"; ); then > dfatal "dracut: creation of $outfile failed" > exit 1 > fi Permissions of outfile depend on umask at creation time, and appending does not change them. Current code and recent changes for UEFI seem to be at least aware, without setting the umask before that. https://github.com/dracutdevs/dracut/commit/60928f36b6c9a855077506444ea5edbe6be9ec4c This is a vulnerability if the user expectation is that specific content in the initrd is only accessible to privileged users, and it would be an information disclosure. This was previously the case: CVE-2012-4453 - https://bugzilla.redhat.com/show_bug.cgi?id=859448 https://github.com/dracutdevs/dracut/commit/e1b48995c26c4f06d1a718539cb1bd5b0179af91 The above was fixed in 024. Early Microcode update support was added in 030: https://github.com/dracutdevs/dracut/commit/5f2c30d9bcd614d546d5c55c6897e33f88b9ab90 This seems to remain the case on current git master, here: cpio [...] > ${DRACUT_TMPDIR}/initramfs.img umask 0077 cpio [...] >> ${DRACUT_TMPDIR}/initramfs.img cp --reflink=auto "${DRACUT_TMPDIR}/initramfs.img" "$outfile"
Created attachment 700679 [details] proposed patch againd git master
Reported to upstream developer
(In reply to Andreas Stieger from comment #4) > Created attachment 700679 [details] > proposed patch againd git master Thank you very much for the comprehensive examination and quick solution. After adding "umask 077;" in line 1590 of /usr/bin/dracut locally, a newly created ramdisk with microcode included got the right permissions: Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Accepted upstream https://github.com/dracutdevs/dracut/commit/0db98910a11c12a454eac4c8e86dc7a7bbc764a4
low severity -> VUL-1
This is an autogenerated message for OBS integration: This bug (1008340) was mentioned in https://build.opensuse.org/request/show/439223 Factory / dracut
Looks like the fix got submitted to all relevant SLE repos and maintenance update(s) are pending? Whatabout leap? At some point of time dracut should get synced to Leap repos and this is in then as well. Closing already.
assigning back to security team
SUSE-SU-2017:0641-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 1005410,1006118,1007925,1008340,1017695,986734,986838 CVE References: CVE-2016-8637 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): dracut-037-91.1 SUSE Linux Enterprise Desktop 12-SP1 (src): dracut-037-91.1
openSUSE-SU-2017:0708-1: An update that solves one vulnerability and has 6 fixes is now available. Category: security (moderate) Bug References: 1005410,1006118,1007925,1008340,1017695,986734,986838 CVE References: CVE-2016-8637 Sources used: openSUSE Leap 42.1 (src): dracut-037-80.1
SUSE-SU-2017:0951-1: An update that solves one vulnerability and has 10 fixes is now available. Category: security (moderate) Bug References: 1005410,1006118,1007925,1008340,1008648,1017141,1017695,1019938,1020063,1021687,902375 CVE References: CVE-2016-8637 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): dracut-044-108.1 SUSE Linux Enterprise Server 12-SP2 (src): dracut-044-108.1 SUSE Linux Enterprise Desktop 12-SP2 (src): dracut-044-108.1 OpenStack Cloud Magnum Orchestration 7 (src): dracut-044-108.1
SUSE-SU-2017:2696-1: An update that solves one vulnerability and has 11 fixes is now available. Category: security (moderate) Bug References: 1005410,1006118,1007925,1008340,1008648,1017695,1032576,1035743,935320,959803,986734,986838 CVE References: CVE-2016-8637 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): dracut-037-51.31.1
released