Another Attack Vector Uncovered For Bypassing Linux Lockdown Via ACPI Tables
This weekend we reported on how injecting ACPI tables could lead to bypassing Linux's lockdown / UEFI Secure Boot protections and let attackers load unsigned kernel modules. That earlier issue was found on a patched version of the Ubuntu 18.04 LTS kernel while now a similar attack vector has been discovered on the mainline Linux kernel.
WireGuard lead developer Jason Donenfeld discovered both of these vulnerabilities in recent days. This newest discovery is more pressing in that it works on a current mainline Linux kernel rather than just Ubuntu's heavily patched older kernel code-base. Fortunately, Donenfeld has already sent off a patch to the mailing list for addressing this issue.
This newest discovery is loading new ACPI tables to disable lockdown. It's also more active than the former discovery in that no kernel reboot is required for this exploit. The issue stems from the ConfigFS module for ACPI allowing arbitrary ACPI tables to be added at run-time. Kernel Address Space Layout Randomization is still worked around by calculating the physical base address and symbol addresses from /proc/kcore and /proc/ksallsysm, respectively. Root access is required for this kernel lockdown bypass.
On a signed kernel with UEFI Secure Boot enabled, it's as simple as running this new proof-of-concept script to then be able to load arbitrary, unsigned kernel modules on the system.
The kernel patch in addressing this issue is just 5 lines of new code and simply checks the status of the kernel's LOCKDOWN functionality before allowing the ACPI table writes. The patch is marked for back-porting to the kernel stable series and presumably will be picked up quickly as it's quite straight-forward.
WireGuard lead developer Jason Donenfeld discovered both of these vulnerabilities in recent days. This newest discovery is more pressing in that it works on a current mainline Linux kernel rather than just Ubuntu's heavily patched older kernel code-base. Fortunately, Donenfeld has already sent off a patch to the mailing list for addressing this issue.
This newest discovery is loading new ACPI tables to disable lockdown. It's also more active than the former discovery in that no kernel reboot is required for this exploit. The issue stems from the ConfigFS module for ACPI allowing arbitrary ACPI tables to be added at run-time. Kernel Address Space Layout Randomization is still worked around by calculating the physical base address and symbol addresses from /proc/kcore and /proc/ksallsysm, respectively. Root access is required for this kernel lockdown bypass.
On a signed kernel with UEFI Secure Boot enabled, it's as simple as running this new proof-of-concept script to then be able to load arbitrary, unsigned kernel modules on the system.
The kernel patch in addressing this issue is just 5 lines of new code and simply checks the status of the kernel's LOCKDOWN functionality before allowing the ACPI table writes. The patch is marked for back-porting to the kernel stable series and presumably will be picked up quickly as it's quite straight-forward.
10 Comments