Non-default OSTree deployments accessible without GRUB password (CVE-2022-3675)
by Benjamin Gilbert
Hi,
Fedora CoreOS recently added support for setting a GRUB password [1].
When this feature is enabled, GRUB requires a password to access the
GRUB command-line, modify kernel command-line arguments, or boot
non-default OSTree deployments.
Recent Fedora CoreOS releases have a misconfiguration which allows
booting non-default OSTree deployments without entering a password.
This allows someone with access to the GRUB menu to boot into an older
version of Fedora CoreOS. A password is still required to modify
kernel command-line arguments and to access the GRUB command line.
Machines provisioned from the following Fedora CoreOS releases are affected:
- stable 36.20220820.3.0 and later
- testing 36.20220906.2.0 and later
- next 36.20220906.1.0 and later
The following Fedora CoreOS releases will fix the problem for newly
deployed machines and automatically correct the misconfiguration for
existing machines:
- stable 36.20221014.3.0 (new machines), 36.20221030.3.0 (existing machines)
- testing 36.20221030.2.0 (new and existing machines)
- next 37.20221031.1.0 (new and existing machines)
If you do not use the GRUB password feature, or if you do use it and
have provisioned your machines from unaffected Fedora CoreOS images,
no action is required.
If your machines on the `next` or `testing` streams are affected, the
problem will be automatically corrected by this week's releases. On
the `stable` stream, newly created machines will be fixed by this
week's release, and existing machines will be fixed by the release on
the week of November 14. If you would like to correct the problem
before then, you can manually run the following commands on affected
machines:
sudo ostree config set sysroot.bls-append-except-default 'grub_users=""'
sudo unshare -mw /boot/loader/entries bash -c \
'mount -o rw,remount /boot &&
for f in $(ls -v ostree-*-fedora-coreos.conf | head -n -1); do
if ! grep -q grub_users "$f"; then
echo grub_users \"\" >> "$f";
fi;
done'
To check which version of Fedora CoreOS was used to provisioned a
machine, run the following command:
jq -r .build /sysroot/.coreos-aleph-version.json
For additional updates, follow the Fedora CoreOS tracker issue [2].
If you have any questions or concerns, post a comment in the issue or
contact us in #fedora-coreos on Libera.Chat.
--Benjamin Gilbert, for the Fedora CoreOS team
[1]: https://docs.fedoraproject.org/en-US/fedora-coreos/grub-password/
[2]: https://github.com/coreos/fedora-coreos-tracker/issues/1333
1 year, 4 months