[kernel-bugs] [Bug 1173567] New: [ARM] lockdown bypass for loading unsigned modules
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 Bug ID: 1173567 Summary: [ARM] lockdown bypass for loading unsigned modules Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: aarch64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: guillaume.gardet@arm.com QA Contact: qa-bugs@suse.de CC: afaerber@suse.com, dmueller@suse.com Found By: --- Blocker: --- There is an exploit on ARM SecureBoot. The lockdown can be bypassed for loading unsigned modules. See: https://www.openwall.com/lists/oss-security/2020/06/14/1 There is a WIP patch to harden the AML/memory interaction, preventing AML code to poke around in memory: http://lists.infradead.org/pipermail/linux-arm-kernel/2020-June/580418 This final patch will need to go to supported SLE/Leap. -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 http://bugzilla.opensuse.org/show_bug.cgi?id=1173567#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Component|Kernel |Incidents Version|Leap 15.2 |unspecified Product|openSUSE Distribution |SUSE Security Incidents Summary|[ARM] lockdown bypass for |VUL-0: kernel-source: [ARM] |loading unsigned modules |lockdown bypass for loading | |unsigned modules QA Contact|qa-bugs@suse.de |security-team@suse.de --- Comment #1 from Marcus Meissner <meissner@suse.com> --- (I thought we had this open yet, but I cannot find it... Currently no CVE.) -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 http://bugzilla.opensuse.org/show_bug.cgi?id=1173567#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> --- Date: Sun, 14 Jun 2020 00:30:54 -0600 From: "Jason A. Donenfeld" <Jason@...c4.com> To: oss-security <oss-security@...ts.openwall.com>, Ubuntu Kernel Team <kernel-team@...ts.ubuntu.com> Subject: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Hey folks, I noticed that Ubuntu 18.04's 4.15 kernels forgot to protect efivar_ssdt with lockdown, making that a vector for disabling lockdown on an efi secure boot machine. I wrote a little PoC exploit to demonstrate these types of ACPI shenanigans: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-lang... The comment on the top has description of exploit strategy and such. I haven't yet looked into other kernels and distros that might be affected, though afaict, Canonical's kernel seems to deviate a lot from upstream. Jason -- You are receiving this mail because: You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 http://bugzilla.opensuse.org/show_bug.cgi?id=1173567#c3 --- Comment #3 from Marcus Meissner <meissner@suse.com> --- might not be arm specific. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com