subject:"Re\: \[edk2\] CVE\-2018\-3613 \[was\: MdeModulePkg Variable\: Fix Timestamp zeroing issue on APPEND

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-19 Thread Laszlo Ersek

On 10/19/18 09:09, Zeng, Star wrote:
> Hi Laszlo,
> 
> Cc Qin also. Qin and Chao are secure boot experts, I also had some talk
> with them.
> 
> On 2018/10/19 5:45, Laszlo Ersek wrote:
>> Hi All,
>>
>> On 10/16/18 04:41, Star Zeng wrote:
>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415
>>>
>>> When SetVariable() to a time based auth variable with APPEND_WRITE
>>> attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
>>> the input Data is earlier than current value, it will cause timestamp
>>> zeroing.
>>>
>>> This issue may bring time based auth variable downgrade problem.
>>> For example:
>>> A vendor released three certs at 2014, 2015, and 2016, and system
>>> integrated the 2016 cert. User can SetVariable() with 2015 cert and
>>> APPEND_WRITE attribute to cause timestamp zeroing first, then
>>> SetVariable() with 2014 cert to downgrade the cert.
>>>
>>> This patch fixes this issue.
>>>
>>> Cc: Jiewen Yao 
>>> Cc: Chao Zhang 
>>> Cc: Jian J Wang 
>>> Contributed-under: TianoCore Contribution Agreement 1.1
>>> Signed-off-by: Star Zeng 
>>> ---
>>>   MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
>>> b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
>>> index a2d61c8cd618..8e8db71bd201 100644
>>> --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
>>> +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
>>> @@ -2462,6 +2462,8 @@ UpdateVariable (
>>>   if (Variable->CurrPtr != NULL) {
>>>     if (VariableCompareTimeStampInternal
>>> (&(((AUTHENTICATED_VARIABLE_HEADER *)
>>> CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
>>>   CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof
>>> (EFI_TIME));
>>> +  } else {
>>> +    CopyMem (&AuthVariable->TimeStamp,
>>> &(((AUTHENTICATED_VARIABLE_HEADER *)
>>> CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
>>>     }
>>>   }
>>>     }
>>>
>>
>> I believe I found a significant mitigating factor for this
>> vulnerability.
> 
> Very good analysis, I totally agree. :)
> 
> Yes, if the dbx signature(includes the "attribute" information) was
> generated with "APPEND" attribute (that is the case you are seeing),
> it's infeasible to apply the downgrade write since the signature
> includes the "attribute" information, the PKCS7 verification will block
> the direct write without "APPEND" attribute.
> 
> But there may be some initial dbx signature was generated without
> "APPEND" attribute. E.g. OEM may have some this kind of dbx. It should
> be rarely case, but I am not sure about that.
> 
> Another, similar situation is also for other authenticated variables
> (not PK/KEK/DB/DBX/DBT).

Makes sense, thanks.

Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-19 Thread Zeng, Star


Hi Laszlo,

Cc Qin also. Qin and Chao are secure boot experts, I also had some talk 
with them.


On 2018/10/19 5:45, Laszlo Ersek wrote:

Hi All,

On 10/16/18 04:41, Star Zeng wrote:

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415

When SetVariable() to a time based auth variable with APPEND_WRITE
attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
the input Data is earlier than current value, it will cause timestamp
zeroing.

This issue may bring time based auth variable downgrade problem.
For example:
A vendor released three certs at 2014, 2015, and 2016, and system
integrated the 2016 cert. User can SetVariable() with 2015 cert and
APPEND_WRITE attribute to cause timestamp zeroing first, then
SetVariable() with 2014 cert to downgrade the cert.

This patch fixes this issue.

Cc: Jiewen Yao 
Cc: Chao Zhang 
Cc: Jian J Wang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng 
---
  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
  1 file changed, 2 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
index a2d61c8cd618..8e8db71bd201 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@@ -2462,6 +2462,8 @@ UpdateVariable (
  if (Variable->CurrPtr != NULL) {
if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER 
*) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
  CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
+  } else {
+CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) 
CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
}
  }
}



I believe I found a significant mitigating factor for this
vulnerability.


Very good analysis, I totally agree. :)

Yes, if the dbx signature(includes the "attribute" information) was 
generated with "APPEND" attribute (that is the case you are seeing), 
it's infeasible to apply the downgrade write since the signature 
includes the "attribute" information, the PKCS7 verification will block 
the direct write without "APPEND" attribute.


But there may be some initial dbx signature was generated without 
"APPEND" attribute. E.g. OEM may have some this kind of dbx. It should 
be rarely case, but I am not sure about that.


Another, similar situation is also for other authenticated variables 
(not PK/KEK/DB/DBX/DBT).



Thanks,
Star



(i) I tried to reproduce the issue (with this patch reverted). I indeed
managed to trigger the "timestamp zeroed" case, by *appending* a
hypothetical "2015" DBX update, to a virtual system that had the "2016"
DBX update installed first.

However, when I tried to replay the hypothetical "2014" DBX update on
top, by *writing* it (not appending it), I found that it wouldn't work:


(ii) I confirmed that the timestamp check was in fact circumvented, due
to the zeroing above. That is, the following code snippet from
VerifyTimeBasedPayload() would *not* fire:

[SecurityPkg/Library/AuthVariableLib/AuthService.c]

   1869if ((OrgTimeStamp != NULL) && ((Attributes & 
EFI_VARIABLE_APPEND_WRITE) == 0)) {
   1870  if (AuthServiceInternalCompareTimeStamp (&CertData->TimeStamp, 
OrgTimeStamp)) {
   1871//
   1872// TimeStamp check fail, suspicious replay attack, return 
EFI_SECURITY_VIOLATION.
   1873//
   1874return EFI_SECURITY_VIOLATION;
   1875  }
   1876}

(Line numbers correspond to commit 3a0329bed2a2).

Yet the replay attempt was rejected. Why?


(iii) It was rejected on the following call chain:

   VariableServiceSetVariable()   
[MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c]
 AuthVariableLibProcessVariable() 
[SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c]
   ProcessVarWithKek()
[SecurityPkg/Library/AuthVariableLib/AuthService.c]
VerifyTimeBasedPayloadAndUpdate() 
[SecurityPkg/Library/AuthVariableLib/AuthService.c]
  VerifyTimeBasedPayload()
[SecurityPkg/Library/AuthVariableLib/AuthService.c]
Pkcs7Verify() 
[CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c]

[SecurityPkg/Library/AuthVariableLib/AuthService.c]

   2032  //
   2033  // Ready to verify Pkcs7 SignedData. Go through KEK Signature 
Database to find out X.509 CertList.
   2034  //
   2035  KekDataSize  = (UINT32) DataSize;
   2036  CertList = (EFI_SIGNATURE_LIST *) Data;
   2037  while ((KekDataSize > 0) && (KekDataSize >= 
CertList->SignatureListSize)) {
   2038if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
   2039  Cert   = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof 
(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
   2040  CertCount  = (CertList->SignatureListSize - sizeof

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-18 Thread Laszlo Ersek

Hi All,

On 10/16/18 04:41, Star Zeng wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415
>
> When SetVariable() to a time based auth variable with APPEND_WRITE
> attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
> the input Data is earlier than current value, it will cause timestamp
> zeroing.
>
> This issue may bring time based auth variable downgrade problem.
> For example:
> A vendor released three certs at 2014, 2015, and 2016, and system
> integrated the 2016 cert. User can SetVariable() with 2015 cert and
> APPEND_WRITE attribute to cause timestamp zeroing first, then
> SetVariable() with 2014 cert to downgrade the cert.
>
> This patch fixes this issue.
>
> Cc: Jiewen Yao 
> Cc: Chao Zhang 
> Cc: Jian J Wang 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Star Zeng 
> ---
>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c 
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
> index a2d61c8cd618..8e8db71bd201 100644
> --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
> +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
> @@ -2462,6 +2462,8 @@ UpdateVariable (
>  if (Variable->CurrPtr != NULL) {
>if (VariableCompareTimeStampInternal 
> (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), 
> TimeStamp)) {
>  CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
> +  } else {
> +CopyMem (&AuthVariable->TimeStamp, 
> &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), 
> sizeof (EFI_TIME));
>}
>  }
>}
>

I believe I found a significant mitigating factor for this
vulnerability.

(i) I tried to reproduce the issue (with this patch reverted). I indeed
managed to trigger the "timestamp zeroed" case, by *appending* a
hypothetical "2015" DBX update, to a virtual system that had the "2016"
DBX update installed first.

However, when I tried to replay the hypothetical "2014" DBX update on
top, by *writing* it (not appending it), I found that it wouldn't work:


(ii) I confirmed that the timestamp check was in fact circumvented, due
to the zeroing above. That is, the following code snippet from
VerifyTimeBasedPayload() would *not* fire:

[SecurityPkg/Library/AuthVariableLib/AuthService.c]

  1869if ((OrgTimeStamp != NULL) && ((Attributes & 
EFI_VARIABLE_APPEND_WRITE) == 0)) {
  1870  if (AuthServiceInternalCompareTimeStamp (&CertData->TimeStamp, 
OrgTimeStamp)) {
  1871//
  1872// TimeStamp check fail, suspicious replay attack, return 
EFI_SECURITY_VIOLATION.
  1873//
  1874return EFI_SECURITY_VIOLATION;
  1875  }
  1876}

(Line numbers correspond to commit 3a0329bed2a2).

Yet the replay attempt was rejected. Why?


(iii) It was rejected on the following call chain:

  VariableServiceSetVariable()   
[MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c]
AuthVariableLibProcessVariable() 
[SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c]
  ProcessVarWithKek()
[SecurityPkg/Library/AuthVariableLib/AuthService.c]
   VerifyTimeBasedPayloadAndUpdate() 
[SecurityPkg/Library/AuthVariableLib/AuthService.c]
 VerifyTimeBasedPayload()
[SecurityPkg/Library/AuthVariableLib/AuthService.c]
   Pkcs7Verify() 
[CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c]

[SecurityPkg/Library/AuthVariableLib/AuthService.c]

  2032  //
  2033  // Ready to verify Pkcs7 SignedData. Go through KEK Signature 
Database to find out X.509 CertList.
  2034  //
  2035  KekDataSize  = (UINT32) DataSize;
  2036  CertList = (EFI_SIGNATURE_LIST *) Data;
  2037  while ((KekDataSize > 0) && (KekDataSize >= 
CertList->SignatureListSize)) {
  2038if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
  2039  Cert   = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + 
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
  2040  CertCount  = (CertList->SignatureListSize - sizeof 
(EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
  2041  for (Index = 0; Index < CertCount; Index++) {
  2042//
  2043// Iterate each Signature Data Node within this CertList for 
a verify
  2044//
  2045TrustedCert  = Cert->SignatureData;
  2046TrustedCertSize  = CertList->SignatureSize - (sizeof 
(EFI_SIGNATURE_DATA) - 1);
  2047
  2048//
  2049// Verify Pkcs7 SignedData via Pkcs7Verify library.
  2050//
  2051VerifyStatus = Pkcs7Verify (
  2052 SigData,
  2053 SigDataSize,
  2054 TrustedCert,
  2055

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-18 Thread Laszlo Ersek

On 10/18/18 15:43, Zeng, Star wrote:
> Hi Laszlo,
> 
> On 2018/10/18 21:09, Laszlo Ersek wrote:
>> On a tangent:
>>
>> On 10/18/18 04:45, Zeng, Star wrote:
>>> On 2018/10/18 2:27, Laszlo Ersek wrote:
>>
>> e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com
>>
>>
> Sorry, I could not access it.

 I'm unsure if you mean that you didn't see that message when I posted
 it, or else that you've now tried to follow the link, but it doesn't
 work for you. Does the official edk2-devel archive work perhaps? Here's
 a link within that, to the same message:

 https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html
>>>
>>> The edk2-devel archive link works for me. But I did not review this
>>> thread and did not see the request. :(
>>
>> OK, understood.
>>
>>> FYI, I could not access the redhat archive link
>>> e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com,
>>>
>>> I just heard some other people also could not access it.
>>
>> That link isn't a "Red Hat" link. It is a link that points to
>>
>>    mid.mail-archive.com
>>
>> The site "mid.mail-archive.com" is a search service from
>> mail-archive.com. The URL is composed as follows:
>>
>>    mid.mail-archive.com + "/" + 
>>
>> In the  part, the user can place the message-id header of
>> the email that they are looking for.
>>
>> In the current case, the Message-Id of the email that I wanted to direct
>> you to was:
>>
>>    e62f7104-e341-6c7f-1af5-2130f161f...@redhat.com
>>
>> It ends with "@redhat.com" only because the message-id was originally
>> generated by a RH SMTP server (because the message was sent by me). So,
>> the complete link is not a "Red Hat" link; it is a mail-archive.com link
>> that happens to end with "@redhat.com" -- because the message ID that I
>> put in the URL, for the search service, ends with "@redhat.com".
> 
> I am not familiar with using mail-archive.com.
> I just did some check and found it is interesting that I could access
> https://www.mail-archive.com/edk2-devel@lists.01.org/msg43513.html, it
> is because it has "https"? Not sure.

That's a good point; I think it could very well be the reason.

Unfortunately, the message-id based search at mail-archive.com (that is,
the domain "mid.mail-archive.com") does *not* work with HTTPS. It is
regrettable, it has always annoyed me. I've tried the same URLs via the
HTTPS scheme in the past, and they've never worked. (They aren't working
right now either.) Otherwise I'd have posted HTTPS links on every occasion.

Thanks for raising this!
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-18 Thread Zeng, Star

Hi Laszlo,

On 2018/10/18 21:09, Laszlo Ersek wrote:

On a tangent:

On 10/18/18 04:45, Zeng, Star wrote:

On 2018/10/18 2:27, Laszlo Ersek wrote:

e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com

Sorry, I could not access it.

I'm unsure if you mean that you didn't see that message when I posted
it, or else that you've now tried to follow the link, but it doesn't
work for you. Does the official edk2-devel archive work perhaps? Here's
a link within that, to the same message:

https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html

The edk2-devel archive link works for me. But I did not review this
thread and did not see the request. :(

OK, understood.

FYI, I could not access the redhat archive link
e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com,
I just heard some other people also could not access it.

That link isn't a "Red Hat" link. It is a link that points to

mid.mail-archive.com

The site "mid.mail-archive.com" is a search service from
mail-archive.com. The URL is composed as follows:

mid.mail-archive.com + "/" +

In the part, the user can place the message-id header of
the email that they are looking for.

In the current case, the Message-Id of the email that I wanted to direct
you to was:

e62f7104-e341-6c7f-1af5-2130f161f...@redhat.com

It ends with "@redhat.com" only because the message-id was originally
generated by a RH SMTP server (because the message was sent by me). So,
the complete link is not a "Red Hat" link; it is a mail-archive.com link
that happens to end with "@redhat.com" -- because the message ID that I
put in the URL, for the search service, ends with "@redhat.com".

I am not familiar with using mail-archive.com.
I just did some check and found it is interesting that I could access
https://www.mail-archive.com/edk2-devel@lists.01.org/msg43513.html, it
is because it has "https"? Not sure.

Thanks,
Star

Anyway, I understand now that mail-archive.com may not be accessible
from behind the Great Firewall. I'll try to keep in mind to provide both
edk2-devel archive links, and mail-archive.com links. (Normally I prefer
mail-archive.com because it shows the thread structure much better.)

Thanks!
Laszlo

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-18 Thread Laszlo Ersek

On a tangent:

On 10/18/18 04:45, Zeng, Star wrote:
> On 2018/10/18 2:27, Laszlo Ersek wrote:

 e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com

>>> Sorry, I could not access it.
>>
>> I'm unsure if you mean that you didn't see that message when I posted
>> it, or else that you've now tried to follow the link, but it doesn't
>> work for you. Does the official edk2-devel archive work perhaps? Here's
>> a link within that, to the same message:
>>
>> https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html
> 
> The edk2-devel archive link works for me. But I did not review this
> thread and did not see the request. :(

OK, understood.

> FYI, I could not access the redhat archive link
> e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com,
> I just heard some other people also could not access it.

That link isn't a "Red Hat" link. It is a link that points to

  mid.mail-archive.com

The site "mid.mail-archive.com" is a search service from
mail-archive.com. The URL is composed as follows:

  mid.mail-archive.com + "/" + 

In the  part, the user can place the message-id header of
the email that they are looking for.

In the current case, the Message-Id of the email that I wanted to direct
you to was:

  e62f7104-e341-6c7f-1af5-2130f161f...@redhat.com

It ends with "@redhat.com" only because the message-id was originally
generated by a RH SMTP server (because the message was sent by me). So,
the complete link is not a "Red Hat" link; it is a mail-archive.com link
that happens to end with "@redhat.com" -- because the message ID that I
put in the URL, for the search service, ends with "@redhat.com".

... Anyway, I understand now that mail-archive.com may not be accessible
from behind the Great Firewall. I'll try to keep in mind to provide both
edk2-devel archive links, and mail-archive.com links. (Normally I prefer
mail-archive.com because it shows the thread structure much better.)

Thanks!
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-17 Thread Zeng, Star

Hi Laszlo,

On 2018/10/18 2:27, Laszlo Ersek wrote:

+Stephano

On 10/17/18 16:58, Zeng, Star wrote:

On 2018/10/17 21:10, Laszlo Ersek wrote:

I have requested earlier [1], and now I'm doing so again, that CVE fixes
please all mention the CVE number in the *subject line*. When people
look at the commit log, or even just patch traffic on this list, CVE
numbers should *jump* at them.

Good request. How about we document it as requirement at somewhere
(Contributions.txt?)? Then people can easily find the requirement and
follow it.

I agree, we should have documented it somewhere explicitly.

Stephano, can you please add a note to the "well-formed commit messages"
topic that CVE number should be documented in the subject lines? My
apologies for not thinking about this earlier.

I will be glad to help broadcast this request and direct people to that
document. :)

e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com

Sorry, I could not access it.

https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html

The edk2-devel archive link works for me. But I did not review this
thread and did not see the request. :(
FYI, I could not access the redhat archive link
e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com,
I just heard some other people also could not access it.

Thanks,
Star

Please see my request (1).

Either way -- I totally agree this hasn't been documented appropriately
before.

Thanks
Laszlo

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-17 Thread Laszlo Ersek

+Stephano

On 10/17/18 16:58, Zeng, Star wrote:
> On 2018/10/17 21:10, Laszlo Ersek wrote:

>> I have requested earlier [1], and now I'm doing so again, that CVE fixes
>> please all mention the CVE number in the *subject line*. When people
>> look at the commit log, or even just patch traffic on this list, CVE
>> numbers should *jump* at them.
> 
> Good request. How about we document it as requirement at somewhere
> (Contributions.txt?)? Then people can easily find the requirement and
> follow it.

I agree, we should have documented it somewhere explicitly.

Stephano, can you please add a note to the "well-formed commit messages"
topic that CVE number should be documented in the subject lines? My
apologies for not thinking about this earlier.

>> e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com
>>
> 
> Sorry, I could not access it.

I'm unsure if you mean that you didn't see that message when I posted
it, or else that you've now tried to follow the link, but it doesn't
work for you. Does the official edk2-devel archive work perhaps? Here's
a link within that, to the same message:

https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html

Please see my request (1).

Either way -- I totally agree this hasn't been documented appropriately
before.

Thanks
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

2018-10-17 Thread Zeng, Star


Hi Laszlo,

On 2018/10/17 21:10, Laszlo Ersek wrote:

Hi Star,

On 10/16/18 04:41, Star Zeng wrote:

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415

When SetVariable() to a time based auth variable with APPEND_WRITE
attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
the input Data is earlier than current value, it will cause timestamp
zeroing.

This issue may bring time based auth variable downgrade problem.
For example:
A vendor released three certs at 2014, 2015, and 2016, and system
integrated the 2016 cert. User can SetVariable() with 2015 cert and
APPEND_WRITE attribute to cause timestamp zeroing first, then
SetVariable() with 2014 cert to downgrade the cert.

This patch fixes this issue.

Cc: Jiewen Yao 
Cc: Chao Zhang 
Cc: Jian J Wang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng 
---
  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
  1 file changed, 2 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
index a2d61c8cd618..8e8db71bd201 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
@@ -2462,6 +2462,8 @@ UpdateVariable (
  if (Variable->CurrPtr != NULL) {
if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER 
*) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
  CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
+  } else {
+CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) 
CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
}
  }
}



thank you for the BZ reference in the commit message.

The commit message is very good, and from it, I suspected this was a
security bug -- it makes "dbx" rollbacks possible, correct? --, and I
was wondering if it should have received a CVE.


Yes, your are right. You have known there is a CVE for it.



Indeed, checking the TianoCore BZ, I can see that this patch mitigates
CVE-2018-3613.

I have requested earlier [1], and now I'm doing so again, that CVE fixes
please all mention the CVE number in the *subject line*. When people
look at the commit log, or even just patch traffic on this list, CVE
numbers should *jump* at them.


Good request. How about we document it as requirement at somewhere 
(Contributions.txt?)? Then people can easily find the requirement and 
follow it.




e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com">http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com


Sorry, I could not access it.



Because you pushed this patch in ~25 hours after posting it to the
public list, and because TianoCore BZ#415 used to be a security bug
(restricted from mirroring to the bugzilla list, and opened up likely
most recently only), I couldn't comment on the subject line (I was on
PTO yesterday), and now we have another patch in the git history that is
a CVE fix, but states that fact nowhere at all.


I was unlucky and I am sad that I could not receive your 
feedback/comment before I pushed the patch. :(
From TianoCore BZ#415, we can see the original embargoed data was 
"10/26/17". For some reason, it was extended to "July 10, 2018". I 
supposed some coordinator(s) should have coordinated with organizations 
for this CVE before its disclosure.


I was just aware that Security Advisory including this CVE at 
https://edk2-docs.gitbooks.io/security-advisory/ was released at "Oct 
12, 2018" and TianoCore BZ#415 link was just made public before I posted 
the patch. I thought I should make the patch into the code as quick as 
possible (after following the community code review process) after this 
CVE's disclosure.




To be clear, my complaint is not that the patch was pushed too quickly
(one day should be fine for CVEs after coordinated disclosure); my point
is that the patch was pushed quickly *and* it never mentioned it was a
CVE fix (in the subject line specifically).


Got it. I should have done like this if I was aware the request.:(



In addition, while the bugzilla states:


The issue is there since the auth variable driver was created in
SecurityPkg, and it is inherited to current variable driver in
MdeModulePkg after the auth variable driver in SecurityPkg was merged
to variable driver in MdeModulePkg.


some specific commit references in the fix's commit message would have
helped, so that everyone could evaluate whether they were affected.


We can see the attachment for reference in TianoCore BZ#415 link only 
updates the variable driver in MdeModulePkg and we just synced the patch 
to UDK2018/UDK2017/UDK2015 which all have SecurityPkg variable driver 
merged into MdeModulePkg variable driver. SecurityPkg variable driver is 
just present in very old UDK branches. And people is not hard to know 
the history of MdeModulePkg and SecurityPkg variable driver by GI

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

Re: [edk2] CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

9 matches

Site Navigation

Mail list logo

Footer information