Bug 1068390 (CVE-2017-16837) - VUL-0: CVE-2017-16837: tboot: Certain function pointers in Trusted Boot (tboot) through 1.9.6 are notvalidated and can cause arbitrary code execution, which allows local users tooverwrite dynamic PCRs of Trusted Platform Module (TPM) by h
Summary: VUL-0: CVE-2017-16837: tboot: Certain function pointers in Trusted Boot (tboo...
Status: RESOLVED FIXED
Alias: CVE-2017-16837
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/195090/
Whiteboard: CVSSv3:SUSE:CVE-2017-16837:7.4:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-16 08:36 UTC by Marcus Meissner
Modified: 2023-09-28 19:00 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-11-16 08:36:07 UTC 
CVE-2017-16837

Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not
validated and can cause arbitrary code execution, which allows local users to
overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these
function pointers.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16837
https://sourceforge.net/p/tboot/code/ci/521c58e51eb5be105a29983742850e72c44ed80e/
Comment 1 Bernhard Wiedemann 2017-11-16 11:30:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1068390) was mentioned in
https://build.opensuse.org/request/show/542218 Factory / tboot
Comment 2 Matthias Gerstner 2017-11-16 13:37:02 UTC 
I've reviewed the patch. It is really just a big search/replace operation to
only access the global tpm structure via a function call wrapper. Then the
previously mixed immutable/mutable data is split in two separate structures.

As far as I understand it, the fix is implicit: By moving the immutable
function pointers into a constant structure, the corresponding data will be
placed in a different ELF segment of the resulting binary, which will then be
subject to measurement by the existing tools and code.

Upstream has not made a new release based on this bugfix. So I needed to patch
even the factory version for now.

The backport to SLE-12 is feasible, the backport to SLE-11 will be challenging
for sure. For SLE-11 the minor issue from bug 889339 is also still pending due
to backporting complexities.

For openSUSE codestreams I'll submit the factory version. It should be
compatible.
Comment 3 Matthias Gerstner 2017-11-16 15:22:30 UTC 
Good news for the SUSE:SLE-11-SP2:Update codestream: The function pointers
this security issue is about aren't present there. The function pointers seem
to have been introduced together with tpm 2.0 compatibility to switch between
tpm 1.2 and tpm 2.0 during runtime.

The version in SUSE:SLE-11-SP2:Update does not support tpm 2.0 yet and
consequently there are no function pointers, just regular functions that will
end up in the text segment anyways. Treating it as not affected.
Comment 5 Bernhard Wiedemann 2017-11-16 16:10:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1068390) was mentioned in
https://build.opensuse.org/request/show/542458 42.2 / tboot
https://build.opensuse.org/request/show/542460 42.3 / tboot
Comment 6 Swamp Workflow Management 2017-11-24 20:21:02 UTC 
SUSE-SU-2017:3090-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1057555,1068390
CVE References: CVE-2017-16837
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    tboot-20160518_1.9.4-7.5.1
SUSE Linux Enterprise Server 12-SP2 (src):    tboot-20160518_1.9.4-7.5.1
Comment 7 Andreas Stieger 2017-11-25 19:58:54 UTC 
done
Comment 8 Swamp Workflow Management 2017-11-25 23:09:03 UTC 
openSUSE-SU-2017:3100-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1041264,1067229,1068390,964408,967441,981948
CVE References: CVE-2017-16837
Sources used:
openSUSE Leap 42.3 (src):    tboot-20170711_1.9.6-7.1
openSUSE Leap 42.2 (src):    tboot-20170711_1.9.6-4.3.1