Common Weakness Enumeration
CWE-1291
AllowedPublic Key Re-Use for Signing both Debug and Production Code
Abstraction: Base · Status: Draft
The same public key is used for signing both debug and production code.
1 vulnerability references this CWE, most recent first.
CVE-2022-1665 (GCVE-0-2022-1665)
Vulnerability from cvelistv5 – Published: 2022-06-21 14:23 – Updated: 2024-08-03 00:10
VLAI
EPSS
VEX
Summary
A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn't. These kernel builds don't have the secure boot lockdown patches applied to it and can bypass the secure boot validations, allowing the attacker to load another non-trusted code.
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2089529 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Red Hat Enterprise Linux |
Affected:
8.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.767Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089529"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Red Hat Enterprise Linux",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "8.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn\u0027t. These kernel builds don\u0027t have the secure boot lockdown patches applied to it and can bypass the secure boot validations, allowing the attacker to load another non-trusted code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1291",
"description": "CWE-1291",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-21T14:23:40.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2089529"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1665",
"datePublished": "2022-06-21T14:23:40.000Z",
"dateReserved": "2022-05-10T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Implementation
Use different keys for Production and Debug.
No CAPEC attack patterns related to this CWE.