Linux Kernel Execute Code Bypass a restriction or similar Vulnerability
16 Jan. 2017
The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd.
* Linux Kernel
* Redhat Enterprise Mrg 2.0
* Redhat Linux 7.2
A vulnerability was found in the RHEL7.2 kernel. When RHEL 7.2 is booted with UEFI Secure Boot enabled, securelevel is set. The kernel uses the state of securelevel to prevent userspace from inserting untrusted privileged code at runtime.
The ACPI tables provided by firmware can be overwritten using the initrd. From the kernel documentation:
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible to
override nearly any ACPI table provided by the BIOS with an instrumented,
RHEL 7.2 has CONFIG_ACPI_INITRD_TABLE_OVERRIDE kernel config option enabled, and will load ACPI tables appended to the initrd, even if booted with UEFI Secure Boot enabled and securelevel set.