CVE-2018-18653 — Improper Verification of Cryptographic Signature in Linux

CWE-347 — Improper Verification of Cryptographic Signature7 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 90.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Debian Linux Canonical Ubuntu Linux +1 more

Timeline

PublishedOct 26

Latest updateFeb 12

Description

The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Debianlinux/linux_kernel< 5.4.6-1+3

▶debiandebian/linux< linux 5.4.6-1 (bookworm)

▶Palo Altopaloalto/pan-os

Also affects: Ubuntu Linux 18.10

Patches

Patch: usn.ubuntu.com ↗Patch: usn.ubuntu.com ↗Patch: usn.ubuntu.com ↗

🔴Vulnerability Details

GHSA

GHSA-4669-vh4j-5743: The Linux kernel, as used in Ubuntu 18↗2022-05-13

▶

OSV

CVE-2018-18653: The Linux kernel, as used in Ubuntu 18↗2018-10-26

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2025-02-12

▶

Ubuntu

Linux kernel vulnerabilities↗2018-12-03

▶

Ubuntu

Linux kernel (AWS) vulnerabilities↗2018-11-30

▶

Debian

CVE-2018-18653: linux - The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot ...↗2018

▶