CVE-2018-18653

NameCVE-2018-18653
DescriptionThe Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)jessie3.16.56-1+deb8u1undetermined
jessie (security)3.16.72-1undetermined
stretch4.9.168-1undetermined
stretch (security)4.9.168-1+deb9u5undetermined
buster4.19.37-5undetermined
buster (security)4.19.37-5+deb10u2undetermined
bullseye, sid5.2.9-2undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsource(unstable)undeterminedhigh

Notes

check, this should be very Ubuntu specific, but it is introduced with the out-of-tree patch from the Lockdown patchset  https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/cosmic/commit/?id=03c7de9e956395f3b36f86f89b62780ad9501eef and so possibly affect our kernel as well in some way.
Search for package or bug name: Reporting problems