CVE-2022-21505 - Defeating Linux Kernel Lockdown with IMA Appraise Log and Kexec (Explained)

When it comes to protecting your Linux system, you might think kernel lockdown and Integrity Measurement Architecture (IMA) are enough. But with CVE-2022-21505, attackers can sneak past lockdown if you’re using IMA appraisal in "log" mode and booting via kexec—especially when Secure Boot isn’t around to save the day.

This article will break down, in plain English, exactly what’s at risk, why "ima_appraise=log" creates a gap, and how someone can take advantage of it. We’ll go through code snippets, references, and a simple walkthrough of the exploit itself—all in a way that even regular users can understand.

Base Score (CVSS 3.1): 6.7 (Confidentiality, Integrity, Availability impacts)

- Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Quick Summary

On Linux, when using IMA appraisal (which checks if system files are what they’re supposed to be), setting ima_appraise=log in your boot params means violations are just logged—not blocked. The system’s "Lockdown" mode is supposed to stop kernel modifications (like loading unsigned code). However, if you use kexec to load a new kernel, lockdown is defeated. This is especially dangerous when Secure Boot is disabled or not available. The Linux kernel has a block to forbid ima_appraise=log if Secure Boot is enabled—but it neglects when lockdown is enabled without Secure Boot.

Background: What’s What?

- IMA Appraisal: Measures and checks digital signatures of files and logs or enforces if something is wrong—configurable in enforce or log modes.
- Lockdown: A protection mode that stops root (and even kernel modules) from modifying low-level kernel settings, often to enforce security guarantees.
- kexec: Linux mechanism to load and boot a new kernel without going through BIOS/UEFI, often used for quick reboots or crash recovery.
- Secure Boot: A UEFI feature making sure only signed (trusted) kernels and bootloaders run on the hardware.

If you boot with the kernel parameter:

  ima_appraise=log
  

...IMA will just log appraise violations (missing or bad signatures) instead of stopping access or loading (log mode).

There’s NO block if Secure Boot is NOT enabled—even if Lockdown *is*.

- This means a machine that's been placed in lockdown (to restrict root or attackers), but isn’t using Secure Boot, can be bypassed: an attacker can use kexec to load a new kernel with root privileges.

`shell

kexec -l /path/to/unsigned_kernel --initrd=/path/to/initrd.img --command-line="root=/dev/sda1"

Signed Kernel Without Secure Boot, IMA set to log:

The new kernel is loaded and executed, and the fact that it’s unsigned or possibly malicious is only logged by IMA—not blocked!

Lockdown Defeated:

All lockdown protections in the new kernel image are now under control of the attacker; they can bypass all previous lockdown guarantees.

Code Snippet: How This Was Missed in Kernel Source

The relevant kernel code (somewhat simplified for clarity) looks like this (from kernel/ima/ima_appraise.c):

#ifdef CONFIG_IMA_APPRAISE
if (ima_appraise & IMA_APPRAISE_ENFORCE)
    /* Enforce: block unsigned/bad */
else if (ima_appraise & IMA_APPRAISE_LOG) {
    /* Log mode: only log problems */
    if (secure_boot_enabled) // <-- Only checks Secure Boot,
        panic("IMA: can not boot with ima_appraise=log under Secure Boot");
    // But not lockdown!
}
#endif

You can see, the kernel refusing to boot only happens when Secure Boot is on—not when *just* lockdown is enforced.

Extract from Kernel Documentation

See the IMA policy kernel documentation:

> "Appraise log mode is intended for use when Secure Boot is not enabled."

Which can be misinterpreted: log mode is *active* unless Secure Boot is on, even if lockdown is used!

Secure Boot is off (common in cloud VMs, retrofitted servers, DevOps gear).

3. IMA appraise logging is in effect: system set up to only log file signature problems *instead* of enforcing.

Attacker gains root (e.g., by phishing, local exploit, or improper privilege control).

5. Attacker runs kexec, loading a new kernel—doesn’t need to be signed or checked. *Lockdown is wiped away in the new kernel!*

Result:

Do not use ima_appraise=log with lockdown unless Secure Boot is always enabled.

- If you need audit/log only, turn off lockdown or use a more restrictive IMA policy.

References and Further Reading

- CVE Record on NVD
- Upstream Linux IMA documentation
- Source: kernel/ima/ima_appraise.c
- LKML Patch Discussion
- IMA Appraisal Modes Overview (LWN)

Conclusion

CVE-2022-21505 shows why design details matter—IMA appraise log mode is not safe with lockdown in the absence of Secure Boot, and admins really need to understand how these features interlock. For the most secure setup, lockdown and Secure Boot must BOTH be active if you want the hardest protection; otherwise, you might as well not have lockdown at all.

If you run Linux servers with IMA logging and lockdown, check your Secure Boot settings now!

*This write-up is original and builds on careful review of vulnerability reports, upstream kernel code, and community discussions; all links and code are provided for further investigation.*

Timeline

Published on: 12/24/2024 18:48:23 UTC