http://bugzilla.opensuse.org/show_bug.cgi?id=1173567
Bug ID: 1173567 Summary: [ARM] lockdown bypass for loading unsigned modules Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: aarch64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: guillaume.gardet@arm.com QA Contact: qa-bugs@suse.de CC: afaerber@suse.com, dmueller@suse.com Found By: --- Blocker: ---
There is an exploit on ARM SecureBoot. The lockdown can be bypassed for loading unsigned modules. See: https://www.openwall.com/lists/oss-security/2020/06/14/1
There is a WIP patch to harden the AML/memory interaction, preventing AML code to poke around in memory: http://lists.infradead.org/pipermail/linux-arm-kernel/2020-June/580418
This final patch will need to go to supported SLE/Leap.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 http://bugzilla.opensuse.org/show_bug.cgi?id=1173567#c1
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Component|Kernel |Incidents Version|Leap 15.2 |unspecified Product|openSUSE Distribution |SUSE Security Incidents Summary|[ARM] lockdown bypass for |VUL-0: kernel-source: [ARM] |loading unsigned modules |lockdown bypass for loading | |unsigned modules QA Contact|qa-bugs@suse.de |security-team@suse.de
--- Comment #1 from Marcus Meissner meissner@suse.com --- (I thought we had this open yet, but I cannot find it... Currently no CVE.)
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 http://bugzilla.opensuse.org/show_bug.cgi?id=1173567#c2
--- Comment #2 from Marcus Meissner meissner@suse.com --- Date: Sun, 14 Jun 2020 00:30:54 -0600 From: "Jason A. Donenfeld" <Jason@...c4.com> To: oss-security <oss-security@...ts.openwall.com>, Ubuntu Kernel Team <kernel-team@...ts.ubuntu.com> Subject: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules
Hey folks,
I noticed that Ubuntu 18.04's 4.15 kernels forgot to protect efivar_ssdt with lockdown, making that a vector for disabling lockdown on an efi secure boot machine. I wrote a little PoC exploit to demonstrate these types of ACPI shenanigans:
https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-lang...
The comment on the top has description of exploit strategy and such. I haven't yet looked into other kernels and distros that might be affected, though afaict, Canonical's kernel seems to deviate a lot from upstream.
Jason
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 http://bugzilla.opensuse.org/show_bug.cgi?id=1173567#c3
--- Comment #3 from Marcus Meissner meissner@suse.com --- might not be arm specific.
kernel-bugs@lists.opensuse.org
-
bugzilla_noreply@suse.com