Announcement

Collapse
No announcement yet.

Another Attack Vector Uncovered For Bypassing Linux Lockdown Via ACPI Tables

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Another Attack Vector Uncovered For Bypassing Linux Lockdown Via ACPI Tables

    Phoronix: Another Attack Vector Uncovered For Bypassing Linux Lockdown Via ACPI Tables

    This weekend we reported on how injecting ACPI tables could lead to bypassing Linux's lockdown / UEFI Secure Boot protections and let attackers load unsigned kernel modules. That earlier issue was found on a patched version of the Ubuntu 18.04 LTS kernel while now a similar attack vector has been discovered on the mainline Linux kernel...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    This is precious.

    Comment


    • #3
      Is MS's ACPI compiler still the only viable option, does Intel's ACPI compiler finally work, is there finally an OSS ACPI compiler?

      Comment


      • #4
        Originally posted by duby229 View Post
        Is MS's ACPI compiler still the only viable option, does Intel's ACPI compiler finally work, is there finally an OSS ACPI compiler?
        My exploit code just uses `iast`, from intel, which seemed to work well.

        Comment


        • #5
          Noob question: why is this considered a vulnerability even though having root access is necessary to begin exploiting it? Isn't it a feature (part of the freedom in Linux vs other OSs) that we as users, if enabled as root, can do whatever we want with the OS? I suspect I may not know enough about Linux Lockdown to understand the importance of this new discovery...

          Comment


          • #6
            Originally posted by marlock View Post
            Noob question: why is this considered a vulnerability even though having root access is necessary to begin exploiting it? Isn't it a feature (part of the freedom in Linux vs other OSs) that we as users, if enabled as root, can do whatever we want with the OS? I suspect I may not know enough about Linux Lockdown to understand the importance of this new discovery...
            My meager understanding of this is that it is an exploit because SecureBoot is supposed to prevent booting modified kernels. If some malware can get a privilege escalation to root then that malware can potentially modify the kernel and even with SecureBoot enabled it will still boot the modified kernel.

            Please anyone who knows better correct my misunderstandings.

            Comment


            • #7
              Originally posted by marlock View Post
              Noob question: why is this considered a vulnerability even though having root access is necessary to begin exploiting it? Isn't it a feature (part of the freedom in Linux vs other OSs) that we as users, if enabled as root, can do whatever we want with the OS? I suspect I may not know enough about Linux Lockdown to understand the importance of this new discovery...
              I'm not so convinced that this vulnerability is a very big deal. See: https://www.openwall.com/lists/oss-s...y/2020/06/15/7

              As far as what it does, here's a little demo:

              Comment


              • #8
                Originally posted by marlock View Post
                Noob question: why is this considered a vulnerability even though having root access is necessary to begin exploiting it? Isn't it a feature (part of the freedom in Linux vs other OSs) that we as users, if enabled as root, can do whatever we want with the OS? I suspect I may not know enough about Linux Lockdown to understand the importance of this new discovery...
                Defense in depth. There are a lot of situations, such as when administering servers, when you know exactly what software you're going to run on a box. In such situations, being able to lock down a box, even a Linux box, is especially useful from a security standpoint. It helps lower the surface of attack, and mitigates exactly what damage can be done if the server is compromised. When you know exactly what kernel you're going to want to run, why allow the computer to run any others? If you know what modules you're going to run, why allow the computer to load other modules?

                Comment


                • #9
                  Originally posted by marlock View Post
                  Noob question: why is this considered a vulnerability even though having root access is necessary to begin exploiting it? Isn't it a feature (part of the freedom in Linux vs other OSs) that we as users, if enabled as root, can do whatever we want with the OS? I suspect I may not know enough about Linux Lockdown to understand the importance of this new discovery...
                  root isn't the highest privilege level on a Linux system. Root is just highest privilege for userspace applications. The kernel runs at higher privilege than root.

                  The kernel can and will refuse to do a lot of things even if you are root, for example dumping or modifying another process's memory, unless you are booting a kernel with debug flags enabled that allows you to poke at things.

                  Linux Lockdown is just another of such tunables to define what root privilege can or cannot do in a system.
                  Last edited by starshipeleven; 16 June 2020, 01:17 PM.

                  Comment


                  • #10
                    Thanks folks! It makes much more sense now why they're worried about this new issue.

                    Comment

                    Working...
                    X