CVE-2015-7837 - The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when bo

CVE-2015-7837

Summary

The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions by leveraging improper handling of secure_boot flag across kexec reboot.

References

Vulnerable Configurations

cpe:2.3:o:redhat:kernel-rt:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:kernel-rt:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*

CVSS

Base:	2.1 (as of 05-10-2017 - 14:43)
Impact:
Exploitability:

CWE

CWE-254

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:L/AC:L/Au:N/C:N/I:P/A:N

redhat via4

advisories

bugzilla

id	1272472
title	CVE-2015-7837 kernel: securelevel disabled after kexec

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

comment kernel-rt earlier than 0:3.10.0-327.rt56.204.el7 is currently running
oval oval:com.redhat.rhsa:tst:20152152031
comment kernel-rt earlier than 0:3.10.0-327.rt56.204.el7 is set to boot up on next boot
oval oval:com.redhat.rhsa:tst:20152411016

AND

comment kernel-rt is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411001
comment kernel-rt is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727002

AND

comment kernel-rt-debug is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411003
comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727004

AND

comment kernel-rt-debug-devel is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411005
comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727006

AND

comment kernel-rt-devel is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411007
comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727008

AND

comment kernel-rt-doc is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411009
comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727010

AND

comment kernel-rt-trace is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411011
comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727012

AND

comment kernel-rt-trace-devel is earlier than 0:3.10.0-327.rt56.204.el7
oval oval:com.redhat.rhsa:tst:20152411013
comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727014

rhsa

id	RHSA-2015:2411
released	2015-11-19
severity	Important
title	RHSA-2015:2411: kernel-rt security, bug fix, and enhancement update (Important)

rhsa
id RHSA-2015:2152

rpms

kernel-0:3.10.0-327.el7
kernel-abi-whitelists-0:3.10.0-327.el7
kernel-bootwrapper-0:3.10.0-327.el7
kernel-debug-0:3.10.0-327.el7
kernel-debug-debuginfo-0:3.10.0-327.el7
kernel-debug-devel-0:3.10.0-327.el7
kernel-debuginfo-0:3.10.0-327.el7
kernel-debuginfo-common-ppc64-0:3.10.0-327.el7
kernel-debuginfo-common-ppc64le-0:3.10.0-327.el7
kernel-debuginfo-common-s390x-0:3.10.0-327.el7
kernel-debuginfo-common-x86_64-0:3.10.0-327.el7
kernel-devel-0:3.10.0-327.el7
kernel-doc-0:3.10.0-327.el7
kernel-headers-0:3.10.0-327.el7
kernel-kdump-0:3.10.0-327.el7
kernel-kdump-debuginfo-0:3.10.0-327.el7
kernel-kdump-devel-0:3.10.0-327.el7
kernel-tools-0:3.10.0-327.el7
kernel-tools-debuginfo-0:3.10.0-327.el7
kernel-tools-libs-0:3.10.0-327.el7
kernel-tools-libs-devel-0:3.10.0-327.el7
perf-0:3.10.0-327.el7
perf-debuginfo-0:3.10.0-327.el7
python-perf-0:3.10.0-327.el7
python-perf-debuginfo-0:3.10.0-327.el7
kernel-rt-0:3.10.0-327.rt56.204.el7
kernel-rt-debug-0:3.10.0-327.rt56.204.el7
kernel-rt-debug-debuginfo-0:3.10.0-327.rt56.204.el7
kernel-rt-debug-devel-0:3.10.0-327.rt56.204.el7
kernel-rt-debuginfo-0:3.10.0-327.rt56.204.el7
kernel-rt-debuginfo-common-x86_64-0:3.10.0-327.rt56.204.el7
kernel-rt-devel-0:3.10.0-327.rt56.204.el7
kernel-rt-doc-0:3.10.0-327.rt56.204.el7
kernel-rt-trace-0:3.10.0-327.rt56.204.el7
kernel-rt-trace-debuginfo-0:3.10.0-327.rt56.204.el7
kernel-rt-trace-devel-0:3.10.0-327.rt56.204.el7

refmap via4

bid	77097
confirm	https://bugzilla.redhat.com/show_bug.cgi?id=1272472 https://github.com/mjg59/linux/commit/4b2b64d5a6ebc84214755ebccd599baef7c1b798
mlist	[oss-security] 20151015 Re: CVE Request - Linux kernel - securelevel/secureboot bypass.

Last major update

05-10-2017 - 14:43

Published

19-09-2017 - 16:29

Last modified

05-10-2017 - 14:43