Linux Kernel IMA Rule Matching Vulnerability Leading to Incorrect Measurements

A vulnerability in the Linux kernel's Integrity Measurement Architecture (IMA) has been identified, where the IMA rule matching function improperly handles certain error codes. This flaw can cause additional files to be incorrectly measured by IMA, potentially leading to unintended consequences in file integrity assessments. The issue arises in the IMA matching process after the SELinux policy module has been unloaded, creating a scenario where null rules are mismanaged, allowing for false matches in the IMA measurement process.

Impact

Exploitation of this vulnerability results in incorrect IMA measurements, where additional files are mistakenly measured as compliant, potentially disrupting integrity verification processes.

Reproduction

To reproduce this vulnerability, first unload the SELinux policy module using the 'semodule -d' command. Then, trigger an IMA measurement before the IMA LSM rules are updated. This sequence will cause the IMA rule matching function to encounter a stale rule, which, after the SELinux module is removed, becomes null. The subsequent handling of this null rule is flawed, leading to an incorrect match that falsely includes extra files in the IMA measurement.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. Instructions for downloading the patched version can be found in the Linux kernel Git repository.