Non-default OSTree deployments accessible without GRUB password (CVE-2022-3675)

Cross-posted with this coreos-status email.

Fedora CoreOS recently added support for setting a GRUB password. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments.

Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS. A password is still required to modify kernel command-line arguments and to access the GRUB command line.

Machines provisioned from the following Fedora CoreOS releases are affected:

  • stable 36.20220820.3.0 and later
  • testing 36.20220906.2.0 and later
  • next 36.20220906.1.0 and later

The following Fedora CoreOS releases will fix the problem for newly deployed machines and automatically correct the misconfiguration for existing machines:

  • stable 36.20221014.3.0 (new machines), 36.20221030.3.0 (existing machines)
  • testing 36.20221030.2.0 (new and existing machines)
  • next 37.20221031.1.0 (new and existing machines)

If you do not use the GRUB password feature, or if you do use it and have provisioned your machines from unaffected Fedora CoreOS images, no action is required.

If your machines on the next or testing streams are affected, the problem will be automatically corrected by this week’s releases. On the stable stream, newly created machines will be fixed by this week’s release, and existing machines will be fixed by the release on the week of November 14. If you would like to correct the problem before then, you can manually run the following commands on affected machines:

sudo ostree config set sysroot.bls-append-except-default 'grub_users=""'
sudo unshare -mw /boot/loader/entries bash -c \
    'mount -o rw,remount /boot &&
     for f in $(ls -v ostree-*-fedora-coreos.conf | head -n -1); do
         if ! grep -q grub_users "$f"; then
             echo grub_users \"\" >> "$f";

To check which version of Fedora CoreOS was used to provisioned a machine, run the following command:

jq -r .build /sysroot/.coreos-aleph-version.json

For additional updates, follow the Fedora CoreOS tracker issue. If you have any questions or concerns, post a comment in the issue or contact us in #fedora-coreos on Libera.Chat.