Описание
EVE's Debug Functions Unlockable Without Triggering Measured Boot
Impact
On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.
Patches
Fixed in 10.1.0 and 9.4.3-lts
Workarounds
None
Ссылки
- https://github.com/lf-edge/eve/security/advisories/GHSA-4c4v-42hc-72p6
- https://nvd.nist.gov/vuln/detail/CVE-2023-43633
- https://github.com/lf-edge/eve/commit/5fef4d92e75838cc78010edaed5247dfbdae1889
- https://github.com/lf-edge/eve/commit/aa3501d6c57206ced222c33aea15a9169d629141
- https://asrg.io/security-advisories/cve-2023-43633
- https://asrg.io/security-advisories/debug-functions-unlockable-without-triggering-measured-boot
Пакеты
github.com/lf-edge/eve
< 0.0.0-20220708121648-5fef4d92e758
0.0.0-20220708121648-5fef4d92e758
Связанные уязвимости
On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. This could be used to unlock the ssh with custom “authorized_keys” via the “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb” key, allowing VNC access via the “app.allow.vnc” key, and more. An attacker could easily enable these debug functionalities without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable and it is not encrypted in any way. An