EFI directory is insecure by default

Bug #1390183 reported by Saurav Sengupta on 2014-11-06
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mountall (Ubuntu)
Undecided
Marc Deslauriers
partman-efi (Debian)
Fix Released
Unknown
partman-efi (Ubuntu)
Undecided
Marc Deslauriers

Bug Description

The EFI directory on UEFI/GPT installations (/boot/efi) is insecure by default. It has permissions/mode 0777 (rwx for all). This makes the directory very vulnerable to tampering. Although it may be possible to repair damage to this directory externally if the system becomes unbootable due to such damage, having to do this is undesirable and usually not easy for most users. Distributions other than Ubuntu may also be having this issue, I have not checked, but some distributions enable secure permissions by default (e.g., Fedora). One (or maybe the only) reason for the default configuration being the way it is may be that the EFI partition uses a FAT file system. However, enabling a umask through /etc/fstab as in Fedora, e.g., umask=0077, should make it much more secure.

Ubuntu 14.10 Utopic Unicorn (x86_64/amd64)

Expected default configuration:-
A critical system directory such as /boot/efi should be inaccessible to non-root users by default.

Actual default configuration:-
The EFI directory /boot/efi is accessible to all users irrespective of the user account's privileges (permission mode 0777/rwxrwxrwx).

CVE References

Marc Deslauriers (mdeslaur) wrote :

Thank you for reporting this issue, I will be investigating it.

Changed in ubuntu:
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
affects: ubuntu → partman-efi (Ubuntu)
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2014-1421

Marc Deslauriers (mdeslaur) wrote :

OK, This seems to affect Ubuntu 14.10, but not Ubuntu 14.04 LTS. Here is why:

partman-efi creates the fstab entry with "defaults" as the mount option.

The mount(8) man page states, for fat:

umask=value
              Set the umask (the bitmask of the permissions that are not present). The default is the umask of the current process.

mountall in daemon mode sets umask to 0.

Ubuntu 14.10's mount tool properly honours mountall's umask, which is 0, and results in incorrect permissions on /boot/efi.
Ubuntu 14.04's mount tool unconditionally sets umask to 022, contrary to documented behaviour, and results in good permissions on /boot/efi.

Fix proposal for 14.10 and later:
1- Modify mountall to not override umask, but to use whatever it inherited from upstart, which should be 022.
2- Modify partman-efi to create the fstab entry with a forced umask. (This is for new installs only, and is additional hardening on top of #1)

Saurav Sengupta (sauravz) wrote :

Do mountall's daemon mode behaviour and part 1 of the fix proposal mean that this bug affects mountall as well (apart from partman-efi) and should be marked as such? Also, is there any particular reason that mountall sets umask to 0 in daemon mode, and if there is, would modifying this behaviour cause any other problems?

Steve Langasek (vorlon) wrote :

I agree with this plan of action for fixing via mountall+partman-efi. Marc has indicated he'll work on implementation, so assigning to him.

Changed in mountall (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mountall - 2.54ubuntu0.14.10.1

---------------
mountall (2.54ubuntu0.14.10.1) utopic-security; urgency=medium

  * SECURITY UPDATE: insecure mount permissions (LP: #1390183)
    - The mount utility now honours process umask when mounting certain
      filesystems, resulting in them being potentially mounted with
      inappropriate permissions.
    - src/mountall.c: don't specifically set umask when running as a
      daemon, inherit the umask Upstart sets instead.
    - CVE-2014-1421
 -- Marc Deslauriers <email address hidden> Thu, 13 Nov 2014 13:21:39 -0500

Changed in mountall (Ubuntu):
status: Triaged → Fix Released
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package partman-efi - 25ubuntu7

---------------
partman-efi (25ubuntu7) vivid; urgency=medium

  * fstab.d/efi: force umask in mount options to ensure directory never
    ends up with incorrect permissions. (LP: #1390183)
 -- Marc Deslauriers <email address hidden> Tue, 18 Nov 2014 08:39:09 -0500

Changed in partman-efi (Ubuntu):
status: Confirmed → Fix Released
Saurav Sengupta (sauravz) wrote :

mountall has been updated to version 2.54ubuntu0.14.10.1 through utopic-updates in Ubuntu 14.10 (Utopic Unicorn), and the EFI directory /boot/efi is now mounted with proper permissions even if the mount options field is set to "defaults" in /etc/fstab. Thank you for fixing the bug.

Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting it! :)

Changed in partman-efi (Debian):
status: Unknown → Fix Committed
Changed in partman-efi (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.