New issue
Advanced search Search tips

Issue 679098 link

Starred by 1 user
Status: Archived
Owner:
kerrnel@chromium.org
Closed: Jan 2017
Cc:
ihf@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

ImageLoader allows component rollbacks

Project Member Reported by kerrnel@chromium.org, Jan 7 2017 
ImageLoader service does not check the reported component version against the actual version in the signed manifest. This means that an attacker can register an old version of a component with ImageLoader and claim that its version 9999 (or any version), and ImageLoader will install and use the old component. 

This is a security vulnerability due to the nature of rollback attacks.

Comment 1 by kerrnel@chromium.org, Jan 7 2017

Cc: ihf@chromium.org

Comment 2 by kerrnel@chromium.org, Jan 12 2017

Labels: -Type-Bug Type-Bug-Security
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/imageloader/+/11ce3548af878bc6f53be7f85d497550bca52961

commit 11ce3548af878bc6f53be7f85d497550bca52961
Author: Greg Kerr <kerrnel@chromium.org>
Date: Sat Jan 07 01:12:32 2017

Checked reported component version against the signed manifest.

This checks the reported version of the component against the version in
the signed manifest. This is important because otherwise an attacker can
rollback a component by lying about the version.

BUG=chromium:667826
TEST=FEATURES=test emerge-${BOARD} imageloader

Change-Id: Ic84be0cd1f5f934c1abdd2f04b99688cc26d8673
Reviewed-on: https://chromium-review.googlesource.com/425707
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>

[modify] https://crrev.com/11ce3548af878bc6f53be7f85d497550bca52961/imageloader_impl.cc
[modify] https://crrev.com/11ce3548af878bc6f53be7f85d497550bca52961/imageloader_unittest.cc

Comment 3 by mbarbe...@chromium.org, Jan 13 2017

Components: Internals>Installer>Components
Labels: Security_Severity-Medium Security_Impact-Stable

Comment 4 by kerrnel@chromium.org, Jan 13 2017

Labels: -Security_Impact-Stable Security_Impact-Head
Component updates aren't enabled for Chrome OS in M56, so this affects Head only.
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 13 2017

Labels: M-57
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 13 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by kerrnel@chromium.org, Jan 16 2017

Status: Fixed (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Jan 16 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 9 by awhalley@chromium.org, Jan 28 2017

Labels: -ReleaseBlock-Beta
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 24 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by dchan@chromium.org, Aug 1 2017

Labels: VerifyIn-61

Comment 12 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Sign in to add a comment