Wind River Support Network

Meet the Support Network

Home CVE Database CVE-2022-2503

CVE-2022-2503

Description

Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5

Priority: --
CVSS v3: 6.7
Component: linux
Publish Date: Aug 12, 2022
Related ID: --
CVSS v2: MEDIUM
Modified Date: Aug 12, 2022

Find out more about CVE-2022-2503 from the MITRE-CVE dictionary and NIST NVD


Products Affected

Login may be required to access defects or downloads.

Product Name Status Defect Fixed Downloads
Linux
Wind River Linux LTS 17 Won't Fix -- -- --
Wind River Linux 8 Requires LTSS -- -- --
Wind River Linux 9 Requires LTSS -- -- --
Wind River Linux 7 Requires LTSS -- -- --
Wind River Linux LTS 21 Fixed LIN1021-4146
10.21.20.14 --
Wind River Linux LTS 22 Fixed -- 10.22.33.1 --
Wind River Linux LTS 18 Fixed LIN1018-9630
10.18.44.28 --
Wind River Linux LTS 19 Fixed LIN1019-8696
10.19.45.25 --
Wind River Linux CD release Fixed -- 10.22.29.0 --
Wind River Linux 6 Requires LTSS -- -- --
Wind River Linux LTS 23 Not Vulnerable -- -- --
Wind River Linux LTS 24 Fixed -- 10.22.29.0 --
VxWorks
VxWorks 7 Not Vulnerable -- -- --
VxWorks 6.9 Not Vulnerable -- -- --
Helix Virtualization Platform Cert Edition
Helix Virtualization Platform Cert Edition Not Vulnerable -- -- --
eLxr
eLxr 12 Not Vulnerable -- -- --

Related Products

Product Name Status Defect Fixed Downloads

Notes
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online