Another Attack Vector Uncovered For Bypassing Linux Lockdown Via ACPI Tables
Written by Michael Larabel in Linux Security on 15 June 2020 at 07:06 AM EDT. 10 Comments
LINUX SECURITY --
This weekend we reported on how injecting ACPI tables could lead to bypassing Linux's lockdown / UEFI Secure Boot protections and let attackers load unsigned kernel modules. That earlier issue was found on a patched version of the Ubuntu 18.04 LTS kernel while now a similar attack vector has been discovered on the mainline Linux kernel.

WireGuard lead developer Jason Donenfeld discovered both of these vulnerabilities in recent days. This newest discovery is more pressing in that it works on a current mainline Linux kernel rather than just Ubuntu's heavily patched older kernel code-base. Fortunately, Donenfeld has already sent off a patch to the mailing list for addressing this issue.

This newest discovery is loading new ACPI tables to disable lockdown. It's also more active than the former discovery in that no kernel reboot is required for this exploit. The issue stems from the ConfigFS module for ACPI allowing arbitrary ACPI tables to be added at run-time. Kernel Address Space Layout Randomization is still worked around by calculating the physical base address and symbol addresses from /proc/kcore and /proc/ksallsysm, respectively. Root access is required for this kernel lockdown bypass.

On a signed kernel with UEFI Secure Boot enabled, it's as simple as running this new proof-of-concept script to then be able to load arbitrary, unsigned kernel modules on the system.

The kernel patch in addressing this issue is just 5 lines of new code and simply checks the status of the kernel's LOCKDOWN functionality before allowing the ACPI table writes. The patch is marked for back-porting to the kernel stable series and presumably will be picked up quickly as it's quite straight-forward.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week

çeviri malatya oto kiralama parça eşya taşıma şehirler arası nakliyat şehirlerarası evden eve nakliyat istanbul bursa şehirler arası nakliyat malatya oto kiralama istanbul evden eve nakliyat ofis taşıma ofis taşımacılığı evden eve nakliyat evden eve nakliyat büyü aşk büyüsü ayırma büyüsü medyum medyum şikayetleri medyum yorumları büyü aşk büyüsü bağlama büyüsü dua aşk duası aşk büyüsü büyü aşk büyüsü bağlama büyüsü medyum dolunay medyum aşk büyüsü medyum medyum şikayetleri medyum yorumları metal galvanizli sac paslanmaz sac metal hrp sac paslanmaz çelik mekjoy.com seo seo kursu sex shop istanbul sex shop ataşehir sex shop İstanbul evden eve nakliyat eşya depolama eşya depolama viagra fiyatı cialis fiyat b374k shell