CVE-2022-21499: 
NixOS vulnerability analysis and mitigation

CVE-2022-21499 is a vulnerability discovered in the Linux kernel's debugger functionality that affects systems running in lockdown mode. The vulnerability was disclosed on May 24, 2022, and affects the kernel/debug/debug_core.c component. KGDB and KDB debuggers allow read and write access to kernel memory, which should be restricted during lockdown mode (Debian Security, OpenWall).

The vulnerability has a CVSS 3.1 Base Score of 6.7 (Medium) with Confidentiality, Integrity, and Availability impacts. The CVSS Vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue allows an attacker with access to a serial port (including via hypervisor console) to trigger the debugger and bypass lockdown restrictions. The vulnerability exists because the debugger did not properly respect the lockdown mode when triggered (Debian Security).

An attacker with local access and the ability to access a serial port could trigger the debugger to bypass UEFI Secure Boot restrictions and gain unauthorized access to kernel memory. This could lead to privilege escalation, system compromise, and the ability to read or write kernel memory, effectively bypassing security controls (Ubuntu Security).

The vulnerability was fixed in the Linux mainline kernel through a patch that integrates lockdown into kdb's existing permissions mechanism. For kgdb, which lacks a permissions mechanism, the fix involves immediately exiting the gdb stub without taking any action when in lockdown mode. Various distributions have released patches, including Ubuntu (versions 5.13.0-48.54 for impish and 5.4.0-117.132 for focal) and Debian (version 5.10.120-1 for bullseye) (Debian Security).