CVE-2020-15780 - Incorrect Authorization

Severity

67%

Complexity

8%

Confidentiality

98%

An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.

CVSS 3.1 Base Score 6.7. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Demo Examples

Incorrect Authorization

CWE-863

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.


               
}
}
setcookie("role", $role, time()+60*60*2);
die("\n");
DisplayMedicalHistory($_POST['patient_ID']);
die("You are not Authorized to view this record\n");

The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.

Overview

First reported 4 years ago

2020-07-15 22:15:00

Last updated 4 years ago

2020-08-21 06:15:00

Affected Software

Linux Kernel

References

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.7

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=75b0cea7bf307f362057cc778efe89af4c615354

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh

https://www.openwall.com/lists/oss-security/2020/06/15/3

[oss-security] 20200720 Re: Re: lockdown bypass on mainline kernel for loading unsigned modules

[oss-security] 20200720 Re: Re: lockdown bypass on mainline kernel for loading unsigned modules

Patch, Third Party Advisory

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.7.7

Release Notes, Vendor Advisory

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=75b0cea7bf307f362057cc778efe89af4c615354

Patch, Vendor Advisory

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh

Patch, Third Party Advisory

https://www.openwall.com/lists/oss-security/2020/06/15/3

Mailing List, Third Party Advisory

[oss-security] 20200729 multiple secure boot grub2 and linux kernel vulnerabilities

[oss-security] 20200730 UEFI SecureBoot bypass fixes rolled out to kernels below radar

[oss-security] 20200730 Re: UEFI SecureBoot bypass fixes rolled out to kernels below radar

USN-4425-1

USN-4426-1

USN-4439-1

USN-4440-1

openSUSE-SU-2020:1153

openSUSE-SU-2020:1236

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.