From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 768D12116DA1E for ; Wed, 17 Oct 2018 06:10:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3E2F1CCFE8; Wed, 17 Oct 2018 13:10:16 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-50.rdu2.redhat.com [10.10.120.50]) by smtp.corp.redhat.com (Postfix) with ESMTP id E0D0F5FC2E; Wed, 17 Oct 2018 13:10:10 +0000 (UTC) To: Star Zeng , Prasad Pandit Cc: edk2-devel@lists.01.org, Jiewen Yao , Chao Zhang , "Leif Lindholm (Linaro address)" , Vincent Zimmer , Michael Kinney , Gary Lin , Ard Biesheuvel , Steve McIntyre <93sam@debian.org>, Peter Jones References: <1539657661-57656-1-git-send-email-star.zeng@intel.com> From: Laszlo Ersek Message-ID: <75a8ff0b-dac9-dbb4-a792-1085a0b73699@redhat.com> Date: Wed, 17 Oct 2018 15:10:09 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1539657661-57656-1-git-send-email-star.zeng@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 17 Oct 2018 13:10:16 +0000 (UTC) Subject: CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE] X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Oct 2018 13:10:17 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Star, On 10/16/18 04:41, Star Zeng wrote: > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415 > > When SetVariable() to a time based auth variable with APPEND_WRITE > attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in > the input Data is earlier than current value, it will cause timestamp > zeroing. > > This issue may bring time based auth variable downgrade problem. > For example: > A vendor released three certs at 2014, 2015, and 2016, and system > integrated the 2016 cert. User can SetVariable() with 2015 cert and > APPEND_WRITE attribute to cause timestamp zeroing first, then > SetVariable() with 2014 cert to downgrade the cert. > > This patch fixes this issue. > > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Jian J Wang > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Star Zeng > --- > MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c > index a2d61c8cd618..8e8db71bd201 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c > @@ -2462,6 +2462,8 @@ UpdateVariable ( > if (Variable->CurrPtr != NULL) { > if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) { > CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME)); > + } else { > + CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME)); > } > } > } > thank you for the BZ reference in the commit message. The commit message is very good, and from it, I suspected this was a security bug -- it makes "dbx" rollbacks possible, correct? --, and I was wondering if it should have received a CVE. Indeed, checking the TianoCore BZ, I can see that this patch mitigates CVE-2018-3613. I have requested earlier [1], and now I'm doing so again, that CVE fixes please all mention the CVE number in the *subject line*. When people look at the commit log, or even just patch traffic on this list, CVE numbers should *jump* at them. http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com Because you pushed this patch in ~25 hours after posting it to the public list, and because TianoCore BZ#415 used to be a security bug (restricted from mirroring to the bugzilla list, and opened up likely most recently only), I couldn't comment on the subject line (I was on PTO yesterday), and now we have another patch in the git history that is a CVE fix, but states that fact nowhere at all. To be clear, my complaint is not that the patch was pushed too quickly (one day should be fine for CVEs after coordinated disclosure); my point is that the patch was pushed quickly *and* it never mentioned it was a CVE fix (in the subject line specifically). In addition, while the bugzilla states: > The issue is there since the auth variable driver was created in > SecurityPkg, and it is inherited to current variable driver in > MdeModulePkg after the auth variable driver in SecurityPkg was merged > to variable driver in MdeModulePkg. some specific commit references in the fix's commit message would have helped, so that everyone could evaluate whether they were affected. --*-- Process-wise, I'm sad that Red Hat -- and likely many other organizations shipping edk2-based firmware -- have not been involved in a coordinated disclosure around this issue. The timeline in https://bugzilla.tianocore.org/show_bug.cgi?id=415 suggests that there would have been a lot of time for this (and apperently there was *intent* too). But here we are, caught with our pants around our ankles. Prasad, to my understanding, you are Red Hat's representative on the TianoCore Bugzilla security group. I've now searched the RH Bugzilla for "CVE-2018-3613", and there are no hits. Can you please confirm whether this BZ was made available to us (and we missed it, and/or failed to act upon it otherwise)? Either way, please: - Create the appropriate tracker in the Red Hat Bugzilla. (The patch has been picked to UDK as far back as UDK2015; we obviously need to fix this yesterday.) - Forward the issue to , so that other organizations that distribute OVMF learn of this. (I'm adding a few direct CC's now, but that list shouldn't be limited by my imagination. I've briefly searched the oss-sec archive as well: also no hits.) Thank you, Laszlo