[Bug 1776996] [NEW] secureboot-db out of date, missing revocations from Aug 2016

Steve Langasek steve.langasek at canonical.com
Thu Jun 14 21:59:10 UTC 2018 

*** This bug is a security vulnerability ***

Public security bug reported:

A signed variable update for secureboot dbx has been published by
Microsoft to uefi.org; last updated 2016-08-11:
http://www.uefi.org/sites/default/files/resources/dbxupdate.zip

This file has not been included in the secureboot-db package in Ubuntu;
so users who only boot Ubuntu and not Windows will not have these
revocations applied, meaning their firmware will trust (and possibly be
exploitable by) whatever binaries these revoked hashes correspond to.

Separately, I seem in testing to be unable to apply this signed database
update to my system using sbkeysync, despite having the Microsoft CA in
my KEK.  So it's possible that sbkeysync doesn't work; we may need to
either fix it, or switch to other code that does work, such as the
dbxtool in Fedora.

** Affects: secureboot-db (Ubuntu)
     Importance: Medium
         Status: Triaged

** Changed in: secureboot-db (Ubuntu)
       Status: New => Triaged

** Changed in: secureboot-db (Ubuntu)
   Importance: Undecided => Critical

** Changed in: secureboot-db (Ubuntu)
   Importance: Critical => Medium

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1776996

Title:
  secureboot-db out of date, missing revocations from Aug 2016

Status in secureboot-db package in Ubuntu:
  Triaged

Bug description:
  A signed variable update for secureboot dbx has been published by
  Microsoft to uefi.org; last updated 2016-08-11:
  http://www.uefi.org/sites/default/files/resources/dbxupdate.zip

  This file has not been included in the secureboot-db package in
  Ubuntu; so users who only boot Ubuntu and not Windows will not have
  these revocations applied, meaning their firmware will trust (and
  possibly be exploitable by) whatever binaries these revoked hashes
  correspond to.

  Separately, I seem in testing to be unable to apply this signed
  database update to my system using sbkeysync, despite having the
  Microsoft CA in my KEK.  So it's possible that sbkeysync doesn't work;
  we may need to either fix it, or switch to other code that does work,
  such as the dbxtool in Fedora.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+subscriptions

More information about the foundations-bugs mailing list