CVE-2018-18653

Published: 25 October 2018

The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.

From the Ubuntu Security Team

Daniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel.

Notes

from the commit addressing the issue:
Recent versions of the "secure boot lockdown" patches introduced
support for using IMA signatures for module signing instead of
the standard mechanism. This was causing issues and was removed,
but the code was missed which actually defers the verification to
IMA when IMA enforcement is enabled. With our config this means
that by default module signatures are not being enforced under
kernel lockdown.

Status

Severity score breakdown

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18653
• https://lists.ubuntu.com/archives/kernel-team/2018-October/096299.html
• https://ubuntu.com/security/notices/USN-3832-1
• https://ubuntu.com/security/notices/USN-3835-1
• NVD
• Launchpad
• Debian

Bugs

• https://launchpad.net/bugs/1798863