Public Key Re-Use for Signing both Debug and Production Code

CVE-2022-1665

High

8.2/10

Summary

A set of pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture can be booted by the grub in Secure Boot mode even though it shouldn't. These kernel builds don't have the secure boot lockdown patches applied to it and can bypass the secure boot validations, allowing the attacker to load another non-trusted code.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-1291 - Public Key Re-Use for Signing both Debug and Production Code

The same public key is used for signing both debug and production code.

References

Advisory Timeline

Published Jun 21, 2022

Public Key Re-Use for Signing both Debug and Production Code

CVE-2022-1665

Summary

CWE-1291 - Public Key Re-Use for Signing both Debug and Production Code

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS