CVE-2022-3675

Summary

Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line.

Affected Software

VendorProductVersion RangeStatus
Fedora ProjectCoreOStesting 36.20220906.2.0 and later < testing 36.20221030.2.0affected
Fedora ProjectCoreOSnext 36.20220906.1.0 and later < next 37.20221031.1.0affected
Fedora ProjectCoreOSstable 36.20220820.3.0 and later < stable 36.20221014.3.0affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References