CVE-2022-1665 Overview
CVE-2022-1665 affects a set of pre-production kernel packages of Red Hat Enterprise Linux built for the IBM Power architecture. These kernels can be booted by grub in Secure Boot mode despite lacking the required secure boot lockdown patches. The missing patches let the kernels bypass Secure Boot validations, enabling an attacker with elevated local access to load untrusted code into the boot chain. The flaw is categorized under [CWE-1291] (Public Key Re-Use for Signing both Debug and Production Code) and is classified as a Secure Boot Bypass affecting platform integrity.
Critical Impact
Attackers with high privileges can load non-trusted code through grub in Secure Boot mode, undermining the trust boundary that Secure Boot is designed to enforce on IBM Power systems.
Affected Products
- Red Hat Enterprise Linux 8.0 (pre-production kernel packages)
- Red Hat Enterprise Linux builds targeting IBM Power architecture
- Systems relying on grub Secure Boot validation on ppc64le
Discovery Timeline
- 2022-06-21 - CVE-2022-1665 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-1665
Vulnerability Analysis
The vulnerability stems from a build and signing process gap. Red Hat shipped a set of pre-production kernel packages for IBM Power that were signed with keys trusted by grub in Secure Boot mode. These kernel builds did not contain the secure boot lockdown patches that normally restrict runtime access to kernel memory, MSRs, and module loading.
When grub validates a kernel signature during Secure Boot, it confirms only that the signature chains to a trusted key. It does not verify whether the booted kernel enforces lockdown. As a result, the affected kernels load successfully under Secure Boot while leaving the system in an unlocked state.
Once running, the kernel allows operations that lockdown is supposed to block. These include loading unsigned modules, writing to /dev/mem, and modifying kernel parameters. An attacker can leverage this state to load arbitrary code into the kernel and persist below the operating system trust boundary.
Root Cause
The root cause is a signing scope error. Pre-production kernel builds intended for internal use were signed with the same trust anchor used for production kernels. The pre-production builds omitted the lockdown patch series that enforces Secure Boot semantics inside the running kernel.
Attack Vector
Exploitation requires local access with high privileges on an affected IBM Power system. The attacker stages an affected pre-production kernel, configures grub to boot it, and reboots the host. Because the kernel signature is trusted, Secure Boot permits the boot. After boot, the attacker loads unsigned kernel modules or modifies kernel memory to install a persistent, low-level implant. No verified public exploit code is available for this issue. See the Red Hat Bug Report #2089529 for vendor technical details.
Detection Methods for CVE-2022-1665
Indicators of Compromise
- Presence of pre-production Red Hat kernel packages installed on production IBM Power hosts
- grub configuration entries referencing kernel images not part of the official Red Hat production release set
- Kernel boot logs showing Secure Boot enabled while kernel_locked_down is not enforced
- Unsigned kernel modules loaded on a system reporting Secure Boot active
Detection Strategies
- Audit installed kernel packages against the Red Hat production package list for the ppc64le architecture
- Inspect /sys/kernel/security/lockdown on running hosts to confirm lockdown mode is integrity or confidentiality
- Compare kernel build identifiers in uname -a and /proc/version against approved Red Hat errata
- Review grub boot entries in /boot/grub2/grub.cfg for unexpected kernel images
Monitoring Recommendations
- Alert on installation or update events touching kernel-*.ppc64le packages outside change windows
- Monitor module load events through auditd rules on init_module and finit_module syscalls
- Track boot integrity attestation results where Trusted Platform Module or equivalent measurement is available
How to Mitigate CVE-2022-1665
Immediate Actions Required
- Identify and remove any pre-production kernel packages from IBM Power systems and replace them with current Red Hat production kernels
- Revoke or block trust for the affected kernel signatures where the platform supports signature denylisting
- Restrict root and bootloader access to enforce the local high-privilege precondition described in the CVSS vector
Patch Information
Red Hat tracks remediation in Red Hat Bug Report #2089529. Administrators should apply the latest Red Hat Enterprise Linux kernel errata for the ppc64le architecture and confirm that the running kernel includes the Secure Boot lockdown patch series.
Workarounds
- Disable boot entries that reference pre-production kernels in grub until the system is rebuilt with a production kernel
- Enforce boot integrity policies that require lockdown to be active before allowing module loading
- Limit physical and administrative access to systems that cannot be patched immediately
# Verify installed kernel packages and lockdown state on RHEL ppc64le
rpm -qa | grep ^kernel | sort
uname -r
cat /sys/kernel/security/lockdown
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
