oss-sec mailing list archives

Re: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules

From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Mon, 15 Jun 2020 17:02:05 -0600

Hi Mitre,

People are requesting a CVE to track this and are poking me to poke
you to assign one.

Jason

On Sun, Jun 14, 2020 at 12:30 AM Jason A. Donenfeld <Jason () zx2c4 com> wrote:


Hey folks,

I noticed that Ubuntu 18.04's 4.15 kernels forgot to protect
efivar_ssdt with lockdown, making that a vector for disabling lockdown
on an efi secure boot machine. I wrote a little PoC exploit to
demonstrate these types of ACPI shenanigans:

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh

The comment on the top has description of exploit strategy and such. I
haven't yet looked into other kernels and distros that might be
affected, though afaict, Canonical's kernel seems to deviate a lot
from upstream.

Jason

Current thread:

lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Jason A. Donenfeld (Jun 13)
- Re: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Jason A. Donenfeld (Jun 15)
  - Re: Re: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Reed Loden (Jun 15)