86963 2002-12-18 18:45 /41 rader/ Matthias Andree <matthias.andree@gmx.de> Importerad: 2002-12-18 18:45 av Brevbäraren Extern mottagare: vulnwatch@vulnwatch.org Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <2804> Ärende: gfxboot allows boot password circumvention, SuSE 8.1 GRUB ------------------------------------------------------------ SECURITY VULNERABILITY SuSE 8.1's "gfxmenu" which is configured into GRUB by default on many machines allows the user to pass in additional kernel boot parameters without entering the password, even though one is configured in the GRUB configuration file. The exact circumstances when YaST2 adds the gfxmenu configuration have not been researched. What other machines may be affected, has not been researched either. SuSE used LILO up to and including SuSE Linux 8.0. HOW TO CHECK IF YOU ARE VULNERABLE As no fix is known at the moment, just reading the /boot/grub/menu.lst configuration file is sufficient. If yours has a line that starts with "gfxmenu", the computer is vulnerable. IMPACT A malicious user who can make the computer reboot can for example append init=/bin/bash to defeat the regular boot procedures to bypass the root password and steal data or install backdoors. FIX Unknown. WORKAROUND Remove the gfxboot line from /boot/grub/menu.lst. HISTORY AND FUTURE 2002-11-27 v1.0 initial announcement, disclosed to SuSE Security only. 2002-11-29 extended schedule to 2002-12-13, 24:00 GMT 2002-12-03 original schedule date for publication 2002-12-13 deadline. public announcement will be made on this day at the latest. 2002-12-13 v1.1 reword first paragraph, not all machines enable gfxmenu by default, add section on checking for the problem. 2002-12-14 sent this announcement to vulnwatch and bugtraq, a workaround is documented, so holding back the announcement makes no sense. (86963) /Matthias Andree <matthias.andree@gmx.de>/(Ombruten)