Login Sign Up

CVE-2022-1665

8.2 HIGH

📋 TL;DR

This vulnerability allows attackers to bypass Secure Boot protections on specific Red Hat Enterprise Linux kernel builds for IBM Power architecture. When exploited, it enables loading of untrusted code during the boot process. Only systems running specific pre-production kernel packages on IBM Power architecture with Secure Boot enabled are affected.

💻 Affected Systems

Products:
  • Red Hat Enterprise Linux
Versions: Specific pre-production kernel packages only
Operating Systems: Red Hat Enterprise Linux for IBM Power architecture
Default Config Vulnerable: ✅ No
Notes: Only affects specific pre-production kernel builds that lack Secure Boot lockdown patches. Production kernels are not affected. Requires Secure Boot to be enabled.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via bootkit or rootkit installation that persists across reboots, allowing full control of the system and potential data exfiltration.

🟠

Likely Case

Local attacker with physical or administrative access could load malicious kernel modules or boot components to gain elevated privileges.

🟢

If Mitigated

Systems not using the affected pre-production kernel packages or without Secure Boot enabled remain unaffected.

🌐 Internet-Facing: LOW - Requires local access or administrative privileges to exploit, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal attackers with local access or compromised administrative accounts could exploit this to establish persistence.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of the specific vulnerable kernel packages. The vulnerability is in the boot process, making detection difficult.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated kernel packages with Secure Boot lockdown patches applied

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2089529

Restart Required: Yes

Instructions:

1. Update affected kernel packages via yum update. 2. Verify the new kernel has Secure Boot lockdown patches. 3. Reboot the system to load the patched kernel.

🔧 Temporary Workarounds

Disable Secure Boot

linux

Temporarily disable Secure Boot to prevent exploitation, though this reduces security

mokutil --disable-validation

Use Production Kernels

linux

Ensure only production kernel packages are installed and booted

yum remove kernel-*preproduction*
yum install kernel

🧯 If You Can't Patch

  • Monitor for unauthorized kernel module loading or boot process modifications
  • Restrict physical and administrative access to affected systems

🔍 How to Verify

Check if Vulnerable:

Check if running pre-production kernel packages on IBM Power with Secure Boot enabled: 'uname -r' and 'mokutil --sb-state'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update and confirm Secure Boot lockdown is active: 'uname -r' and check for lockdown patches in kernel configuration

📡 Detection & Monitoring

Log Indicators:

  • Unexpected kernel module loading
  • Secure Boot validation failures
  • Boot process anomalies in dmesg

Network Indicators:

  • None - local exploitation only

SIEM Query:

source="dmesg" AND ("Secure Boot" OR "lockdown") AND ("fail" OR "bypass" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2022-1665
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-1291
Published: June 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON