CVE-2022-1665Public Key Re-Use for Signing both Debug and Production Code in Redhat Enterprise Linux

CWE-1291Public Key Re-Use for Signing both Debug and Production Code4 documents4 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 83.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Enterprise Linux
Timeline
PublishedJun 21
Latest updateJun 22

Description

A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn't. These kernel builds don't have the secure boot lockdown patches applied to it and can bypass the secure boot validations, allowing the attacker to load another non-trusted code.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages0 packages

Also affects: Enterprise Linux 8.0

🔴Vulnerability Details

2
GHSA
GHSA-23qr-p57h-8gx4: A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even thou2022-06-22
CVEList
CVE-2022-1665: A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even thou2022-06-21

📋Vendor Advisories

1
Red Hat
Power: Signed build of Red Hat Enterprise Linux for IBM Power can boot pre-production kernels2022-06-07
CVE-2022-1665 — Redhat Enterprise Linux vulnerability | cvebase